From 0794d7fb9040e3ecf599202c27c191215a795f37 Mon Sep 17 00:00:00 2001
From: Micah Lee <micah@micahflee.com>
Date: Sun, 25 Nov 2018 15:52:36 -0800
Subject: Split entitlements files into child and parent, and try using them
 both

---
 install/OnionShare.entitlements    | 16 ----------------
 install/build_osx.sh               |  5 ++++-
 install/macos_sandbox/child.plist  | 10 ++++++++++
 install/macos_sandbox/parent.plist | 16 ++++++++++++++++
 4 files changed, 30 insertions(+), 17 deletions(-)
 delete mode 100644 install/OnionShare.entitlements
 create mode 100644 install/macos_sandbox/child.plist
 create mode 100644 install/macos_sandbox/parent.plist

diff --git a/install/OnionShare.entitlements b/install/OnionShare.entitlements
deleted file mode 100644
index fa6a9141..00000000
--- a/install/OnionShare.entitlements
+++ /dev/null
@@ -1,16 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-	<key>com.apple.security.app-sandbox</key>
-	<true/>
-	<key>com.apple.security.files.user-selected.read-only</key>
-	<true/>
-	<key>com.apple.security.network.client</key>
-	<true/>
-	<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
-	<array>
-    <string>/OnionShare</string>
-  </array>
-</dict>
-</plist>
diff --git a/install/build_osx.sh b/install/build_osx.sh
index ad096139..010e3edb 100755
--- a/install/build_osx.sh
+++ b/install/build_osx.sh
@@ -23,9 +23,12 @@ if [ "$1" = "--release" ]; then
   PKG_PATH="$ROOT/dist/OnionShare.pkg"
   IDENTITY_NAME_APPLICATION="Developer ID Application: Micah Lee"
   IDENTITY_NAME_INSTALLER="Developer ID Installer: Micah Lee"
+  ENTITLEMENTS_CHILD_PATH="$ROOT/install/macos_sandbox/child.plist"
+  ENTITLEMENTS_PARENT_PATH="$ROOT/install/macos_sandbox/parent.plist"
 
   echo "Codesigning the app bundle"
-  codesign --deep -s "$IDENTITY_NAME_APPLICATION" "$APP_PATH" --entitlements "$ROOT/install/OnionShare.entitlements"
+  codesign --deep -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_CHILD_PATH" "$APP_PATH"
+  codesign -s "$IDENTITY_NAME_APPLICATION" -f --entitlements "$ENTITLEMENTS_PARENT_PATH" "$APP_PATH"
 
   echo "Creating an installer"
   productbuild --sign "$IDENTITY_NAME_INSTALLER" --component "$APP_PATH" /Applications "$PKG_PATH"
diff --git a/install/macos_sandbox/child.plist b/install/macos_sandbox/child.plist
new file mode 100644
index 00000000..06d88f66
--- /dev/null
+++ b/install/macos_sandbox/child.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.inherit</key>
+  <true/>
+</dict>
+</plist>
diff --git a/install/macos_sandbox/parent.plist b/install/macos_sandbox/parent.plist
new file mode 100644
index 00000000..ceecd30a
--- /dev/null
+++ b/install/macos_sandbox/parent.plist
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+	<key>com.apple.security.files.user-selected.read-only</key>
+	<true/>
+	<key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>
+	<array>
+    <string>/OnionShare</string>
+  </array>
+</dict>
+</plist>
-- 
cgit v1.2.3-54-g00ecf