Start writing a proper macOS build script

3 files changed, 144 insertions, 0 deletions

diff --git a/desktop/package/macos/ChildEntitlements.plist b/desktop/package/macos/ChildEntitlements.plist
new file mode 100644
index 00000000..06d88f66
--- /dev/null
+++ b/desktop/package/macos/ChildEntitlements.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.inherit</key>
+  <true/>
+</dict>
+</plist>
diff --git a/desktop/package/macos/Entitlements.plist b/desktop/package/macos/Entitlements.plist
new file mode 100644
index 00000000..8b9ac949
--- /dev/null
+++ b/desktop/package/macos/Entitlements.plist
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<!-- Enable app sandbox -->
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+
+	<!-- Required for running PyInstaller python code with hardened runtime -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+
+	<!-- Both OnionShare and Tor need network server and client -->
+	<key>com.apple.security.network.server</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+
+	<!-- In share mode, users need to be able to select files, and in receive mode,
+       users need to be able to choose a folder to save files to -->
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
+
+	<!-- Flask needs to read this mime.types file when starting an HTTP server -->
+	<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
+	<array>
+		<string>/private/etc/apache2/mime.types</string>
+	</array>
+
+	<!-- For OnionShare to be able to connect to Tor Browser's tor control port,
+	     it needs to read it's control_auth_cookie file -->
+	<key>com.apple.security.temporary-exception.files.home-relative-path.read-only</key>
+	<array>
+		<string>/Library/Application Support/TorBrowser-Data/Tor/control_auth_cookie</string>
+	</array>
+
+	<!-- In receive mode, OnionShare needs to be able to write to ~/OnionShare -->
+	<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
+	<array>
+		<string>/OnionShare/</string>
+	</array>
+</dict>
+</plist>
diff --git a/desktop/package/macos/build.py b/desktop/package/macos/build.py
new file mode 100755
index 00000000..163f7752
--- /dev/null
+++ b/desktop/package/macos/build.py
@@ -0,0 +1,91 @@
+#!/usr/bin/env python3
+import os
+import inspect
+import subprocess
+import argparse
+import shutil
+import glob
+
+root = os.path.dirname(
+    os.path.dirname(
+        os.path.dirname(os.path.abspath(inspect.getfile(inspect.currentframe())))
+    )
+)
+
+
+def run(cmd, cwd=None):
+    subprocess.run(cmd, cwd=cwd, check=True)
+
+
+def main():
+    # Parse arguments
+    parser = argparse.ArgumentParser()
+    parser.add_argument(
+        "--with-codesign",
+        action="store_true",
+        dest="with_codesign",
+        help="Codesign the app bundle",
+    )
+    args = parser.parse_args()
+
+    cli_dir = os.path.join(root, "cli")
+    desktop_dir = os.path.join(root, "desktop")
+
+    print("○ Building onionshare-cli")
+    run(["poetry", "install"], cli_dir)
+    run(["poetry", "build"], cli_dir)
+    whl_filename = glob.glob(f"{cli_dir}/dist/*.whl")[0]
+    whl_basename = os.path.basename(whl_filename)
+    shutil.copyfile(whl_filename, os.path.join(desktop_dir, whl_basename))
+
+    print("○ Clean up from last build")
+    if os.path.exists(os.path.join(desktop_dir, "macOS")):
+        shutil.rmtree(os.path.join(desktop_dir, "macOS"))
+
+    print("○ Create app bundle")
+    run(["briefcase", "create"], desktop_dir)
+    app_path = os.path.join(desktop_dir, "macOS", "OnionShare", "OnionShare.app")
+    print(f"○ Unsigned app bundle: {app_path}")
+
+    if args.with_codesign:
+        identity_name_application = "Developer ID Application: Micah Lee (N9B95FDWH4)"
+        entitlements_child_filename = os.path.join(
+            desktop_dir, "package", "macos", "ChildEntitlements.plist"
+        )
+        entitlements_filename = os.path.join(
+            desktop_dir, "package", "macos", "Entitlements.plist"
+        )
+
+        print("○ Code signing app bundle")
+        run(
+            [
+                "codesign",
+                "--deep",
+                "-s",
+                identity_name_application,
+                "--force",
+                "--entitlements",
+                entitlements_child_filename,
+                "--timestamp",
+                app_path,
+            ]
+        )
+        run(
+            [
+                "codesign",
+                "-s",
+                identity_name_application,
+                "--force",
+                "--entitlements",
+                entitlements_filename,
+                "--timestamp",
+                app_path,
+            ]
+        )
+        print(f"○ Signed app bundle: {app_path}")
+
+        print("○ TODO: Make a DMG package")
+
+
+if __name__ == "__main__":
+    main()
\ No newline at end of file