Prepare for app notarization

cztomczak · cztomczak · commit 72e75ea546ca · 2025-01-30T01:32:33.000+01:00
Useful links: 1. https://www.magpcss.org/ceforum/viewtopic.php?f=6&t=16481&p=50934&hilit=+notarization#p50934 2. https://www.magpcss.org/ceforum/search.php?keywords=%2Bnotarization 3. https://github.com/search?q=repo%3Achromiumembedded%2Fcef+notarize&type=issues 4. https://developer.apple.com/documentation/security/resolving-common-notarization-issues#Ensure-a-valid-code-signature 5. https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution I'm not sure if there is a point to notarize PHP Desktop default binaries. From what I understand, I notarise whole bundle, so if user tries to play with PHP Desktop and modify scripts in www/ directory, then that would break notarisation for the app bundle. I could work on scripts to help automate the process of notarising PHP Desktop app. There is some complex stuff to do, because PHP Desktop includes CEF/Chromium framework, libraries and helper applications. These require special entitlements that need to be defined in some files. Other issue that comes to my mind is that currently Chromium web cache directory configured via settings.json is set to be inside the app bundle. So it would need to be set to a path outside of bundle, because it changes during runtime. Same for the log file, also configured via settings.json and created next to main executable by default. A notarised app can't allow for creation or change of any files inside bundle, so these settings need to be changed from defaults. It would be unsafe to configure PHP Desktop via settings.json to set www/ directory to be outside of app bundle. Because if done so, someone could overwrite PHP files that are outside of bundle and do malicious behaviour. The result would be that it's your notarised app that allows for this and could result in your app being banned by Apple or something. We need to make users aware of possible security issues.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -89,6 +89,7 @@ set_target_properties(phpdesktop PROPERTIES
                         ARCHIVE_OUTPUT_DIRECTORY "${PHPDESKTOP_OUT_DIR}"
                         RUNTIME_OUTPUT_DIRECTORY "${PHPDESKTOP_OUT_DIR}"
                         LIBRARY_OUTPUT_DIRECTORY "${PHPDESKTOP_OUT_DIR}"
+                        XCODE_ATTRIBUTE_ENABLE_HARDENED_RUNTIME YES  # required to notarize app
                         OUTPUT_NAME "PHP Desktop"
 )
 add_dependencies(phpdesktop libcef_dll_wrapper)
@@ -138,7 +139,8 @@ foreach(_suffix_list ${CEF_HELPER_APP_SUFFIXES})
     set_target_properties(${_helper_target} PROPERTIES
                             ARCHIVE_OUTPUT_DIRECTORY "${PHPDESKTOP_OUT_DIR}"
                             RUNTIME_OUTPUT_DIRECTORY "${PHPDESKTOP_OUT_DIR}"
-                            LIBRARY_OUTPUT_DIRECTORY "${PHPDESKTOP_OUT_DIR}")
+                            LIBRARY_OUTPUT_DIRECTORY "${PHPDESKTOP_OUT_DIR}"
+                            XCODE_ATTRIBUTE_ENABLE_HARDENED_RUNTIME YES)  # required for notarization
     # add_dependencies(${_helper_target} shared_helper)
     # target_link_libraries(${_helper_target} shared_helper)
     add_dependencies(${_helper_target} libcef_dll_wrapper)
