New entitlements: (#3118)

Conrad Irwin created 

Release Notes:

- Support Universal Links for Channel links
- Share credentials between Stable and Preview

Change summary

crates/zed/contents/dev/embedded.provisionprofile                           |  0 
crates/zed/contents/preview/embedded.provisionprofile                       |  0 
crates/zed/contents/stable/Zed_Stable_Provisioning_Profile.provisionprofile |  0 
crates/zed/resources/zed.entitlements                                       | 12 
script/bundle                                                               | 30 
5 files changed, 29 insertions(+), 13 deletions(-)

Detailed changes

crates/zed/resources/zed.entitlements 🔗 

@@ -2,6 +2,8 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.apple.developer.associated-domains</key>
+	<array><string>applinks:zed.dev</string></array>
 	<key>com.apple.security.automation.apple-events</key>
 	<true/>
 	<key>com.apple.security.cs.allow-jit</key>
@@ -10,14 +12,8 @@
 	<true/>
 	<key>com.apple.security.device.camera</key>
 	<true/>
-	<key>com.apple.security.personal-information.addressbook</key>
-	<true/>
-	<key>com.apple.security.personal-information.calendars</key>
-	<true/>
-	<key>com.apple.security.personal-information.location</key>
-	<true/>
-	<key>com.apple.security.personal-information.photos-library</key>
-	<true/>
+	<key>com.apple.security.keychain-access-groups</key>
+	<array><string>MQ55VZLNZQ.dev.zed.Shared</string></array>
 	<!-- <key>com.apple.security.cs.disable-library-validation</key>
 	<true/> -->
 </dict>

script/bundle 🔗 

@@ -134,6 +134,8 @@ else
     cp -R target/${target_dir}/WebRTC.framework "${app_path}/Contents/Frameworks/"
 fi
 
+cp crates/zed/contents/$channel/embedded.provisionprofile "${app_path}/Contents/"
+
 if [[ -n $MACOS_CERTIFICATE && -n $MACOS_CERTIFICATE_PASSWORD && -n $APPLE_NOTARIZATION_USERNAME && -n $APPLE_NOTARIZATION_PASSWORD ]]; then
     echo "Signing bundle with Apple-issued certificate"
     security create-keychain -p "$MACOS_CERTIFICATE_PASSWORD" zed.keychain || echo ""
@@ -143,14 +145,32 @@ if [[ -n $MACOS_CERTIFICATE && -n $MACOS_CERTIFICATE_PASSWORD && -n $APPLE_NOTAR
     security import /tmp/zed-certificate.p12 -k zed.keychain -P "$MACOS_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
     rm /tmp/zed-certificate.p12
     security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CERTIFICATE_PASSWORD" zed.keychain
-    /usr/bin/codesign --force --deep --timestamp --options runtime --entitlements crates/zed/resources/zed.entitlements --sign "Zed Industries, Inc." "${app_path}" -v
+
+    # sequence of codesign commands modeled after this example: https://developer.apple.com/forums/thread/701514
+    /usr/bin/codesign --force --timestamp --sign "Zed Industries, Inc." "${app_path}/Contents/Frameworks/WebRTC.framework" -v
+    /usr/bin/codesign --force --timestamp --options runtime --sign "Zed Industries, Inc." "${app_path}/Contents/MacOS/cli" -v
+    /usr/bin/codesign --force --timestamp --options runtime --entitlements crates/zed/resources/zed.entitlements --sign "Zed Industries, Inc." "${app_path}" -v
+
     security default-keychain -s login.keychain
 else
     echo "One or more of the following variables are missing: MACOS_CERTIFICATE, MACOS_CERTIFICATE_PASSWORD, APPLE_NOTARIZATION_USERNAME, APPLE_NOTARIZATION_PASSWORD"
-    echo "Performing an ad-hoc signature, but this bundle should not be distributed"
-    echo "If you see 'The application cannot be opened for an unexpected reason,' you likely don't have the necessary entitlements to run the application in your signing keychain"
-    echo "You will need to download a new signing key from developer.apple.com, add it to keychain, and export MACOS_SIGNING_KEY=<email address of signing key>"
-    codesign --force --deep --entitlements crates/zed/resources/zed.entitlements --sign ${MACOS_SIGNING_KEY:- -} "${app_path}" -v
+    if [[ "$local_only" = false ]]; then
+        echo "To create a self-signed local build use ./scripts/build.sh -ldf"
+        exit 1
+    fi
+
+    echo "====== WARNING ======"
+    echo "This bundle is being signed without all entitlements, some features (e.g. universal links) will not work"
+    echo "====== WARNING ======"
+
+    # NOTE: if you need to test universal links you have a few paths forward:
+    # - create a PR and tag it with the `run-build-dmg` label, and download the .dmg file from there.
+    # - get a signing key for the MQ55VZLNZQ team from Nathan.
+    # - create your own signing key, and update references to MQ55VZLNZQ to your own team ID
+    # then comment out this line.
+    cat crates/zed/resources/zed.entitlements | sed '/com.apple.developer.associated-domains/,+1d' > "${app_path}/Contents/Resources/zed.entitlements"
+
+    codesign --force --deep --entitlements "${app_path}/Contents/Resources/zed.entitlements" --sign ${MACOS_SIGNING_KEY:- -} "${app_path}" -v
 fi
 
 if [[ "$target_dir" = "debug" && "$local_only" = false ]]; then