From af73790306711ddc489a8fdb5be8419eecaa3970 Mon Sep 17 00:00:00 2001 From: Christopher Willis-Ford Date: Mon, 9 Mar 2020 15:45:07 -0700 Subject: [PATCH] macOS: request camera and microphone access Note `audio-input` and `camera` were already in `entitlements.plist` Supporting changes: - Add `allow-jit` entitlement since documentation says it's needed. - Only use sandbox for MAS build, not for non-MAS macOS build. NOTE: both still use the hardened runtime, as required on Catalina. - Remove `entitlements.inherit.plist` since it matches default settings. - Add to `electron-builder.yaml` English descriptions for why the app requests access to the microphone and camera. I'm not yet sure if there's a way to localize these. - Minor tweaks in `electron-builder.yaml`. --- README.md | 14 ++++++++++++ buildResources/entitlements.inherit.plist | 12 ---------- ...itlements.plist => entitlements.mac.plist} | 2 +- buildResources/entitlements.mas.plist | 22 +++++++++++++++++++ electron-builder.yaml | 12 +++++++--- src/main/index.js | 6 ++++- 6 files changed, 51 insertions(+), 17 deletions(-) delete mode 100644 buildResources/entitlements.inherit.plist rename buildResources/{entitlements.plist => entitlements.mac.plist} (92%) create mode 100644 buildResources/entitlements.mas.plist diff --git a/README.md b/README.md index b678d97..7abefa5 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,20 @@ To generate a signed NSIS installer: 4. Build the NSIS installer only: building the APPX installer will fail if these environment variables are set. - `npm run dist -- -w nsis` +#### Workaround for code signing issue in macOS + +Sometimes the macOS build process will result in a build which crashes on startup. If this happens, check in `Console` +for an entry similar to this: + +```text +failed to parse entitlements for Scratch Desktop[12345]: OSUnserializeXML: syntax error near line 1 +``` + +This appears to be an issue with `codesign` itself. Rebooting your computer and trying to build again might help. Yes, +really. + +See this issue for more detail: + ### Make a semi-packaged build This will simulate a packaged build without actually packaging it: instead the files will be copied to a subdirectory diff --git a/buildResources/entitlements.inherit.plist b/buildResources/entitlements.inherit.plist deleted file mode 100644 index a7a925c..0000000 --- a/buildResources/entitlements.inherit.plist +++ /dev/null @@ -1,12 +0,0 @@ - - - - -com.apple.security.app-sandbox - -com.apple.security.cs.allow-unsigned-executable-memory - -com.apple.security.inherit - - - diff --git a/buildResources/entitlements.plist b/buildResources/entitlements.mac.plist similarity index 92% rename from buildResources/entitlements.plist rename to buildResources/entitlements.mac.plist index 44d4e94..2e144be 100644 --- a/buildResources/entitlements.plist +++ b/buildResources/entitlements.mac.plist @@ -2,7 +2,7 @@ -com.apple.security.app-sandbox +com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory diff --git a/buildResources/entitlements.mas.plist b/buildResources/entitlements.mas.plist new file mode 100644 index 0000000..0d80102 --- /dev/null +++ b/buildResources/entitlements.mas.plist @@ -0,0 +1,22 @@ + + + + +com.apple.security.app-sandbox + +com.apple.security.cs.allow-jit + +com.apple.security.cs.allow-unsigned-executable-memory + +com.apple.security.device.audio-input + +com.apple.security.device.camera + +com.apple.security.files.user-selected.read-only + +com.apple.security.files.user-selected.read-write + +com.apple.security.network.client + + + diff --git a/electron-builder.yaml b/electron-builder.yaml index 8ff6017..0bfb5ea 100644 --- a/electron-builder.yaml +++ b/electron-builder.yaml @@ -6,17 +6,23 @@ productName: "Scratch Desktop" afterSign: "scripts/afterSign.js" mac: category: public.app-category.education + entitlements: buildResources/entitlements.mac.plist + extendInfo: + NSCameraUsageDescription: >- + This app requires camera access when taking a photo in the paint editor or using the video sensing blocks. + NSMicrophoneUsageDescription: >- + This app requires microphone access when recording sounds or detecting loudness. + gatekeeperAssess: true hardenedRuntime: true icon: buildResources/ScratchDesktop.icns provisioningProfile: embedded.provisionprofile target: - dmg - mas -mas: type: distribution +mas: category: public.app-category.education - entitlements: buildResources/entitlements.plist - entitlementsInherit: buildResources/entitlements.inherit.plist + entitlements: buildResources/entitlements.mas.plist icon: buildResources/ScratchDesktop.icns win: icon: buildResources/ScratchDesktop.ico diff --git a/src/main/index.js b/src/main/index.js index e7bac4a..a3a9424 100644 --- a/src/main/index.js +++ b/src/main/index.js @@ -1,4 +1,4 @@ -import {BrowserWindow, Menu, app, dialog, ipcMain} from 'electron'; +import {BrowserWindow, Menu, app, dialog, ipcMain, systemPreferences} from 'electron'; import fs from 'fs'; import path from 'path'; import {format as formatUrl} from 'url'; @@ -140,6 +140,10 @@ const createMainWindow = () => { if (process.platform === 'darwin') { const osxMenu = Menu.buildFromTemplate(MacOSMenu(app)); Menu.setApplicationMenu(osxMenu); + (async () => { + await systemPreferences.askForMediaAccess('microphone'); + await systemPreferences.askForMediaAccess('camera'); + })(); } else { // disable menu for other platforms Menu.setApplicationMenu(null);