Add -N, --add-entitlements flags to append entitlements from file

* Merge entitlements from file * Append entitlements when not pseudo-signing
nowsecure · Oct 21, 2022 · 6633481 · 6633481
1 parent 08a41c8
commit 6633481
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/index.js b/index.js
@@ -316,13 +316,24 @@ class Applesign {
     this.debugObject[f][key] = val;
   }
 
+  addEntitlementsSync (orig) {
+    if (this.config.addEntitlements === undefined) {
+      return orig;
+    }
+    this.emit('message', 'Adding entitlements from file');
+    const addEnt = plist.readFileSync(this.config.addEntitlements);
+    // TODO: deepmerge
+    return Object.assign(orig, addEnt);
+  }
+
   adjustEntitlementsSync (file, entMobProv) {
     if (this.config.pseudoSign) {
       const ent = bin.entitlements(file);
       if (ent === null) {
         return;
       }
-      const entMacho = plist.parse(ent.toString().trim());
+      let entMacho = plist.parse(ent.toString().trim());
+      entMacho = this.addEntitlementsSync(entMacho);
       // TODO: merge additional entitlements here
       const newEntitlements = plistBuild(entMacho).toString();
       const newEntitlementsFile = file + '.entitlements';
@@ -343,6 +354,7 @@ class Applesign {
     let entMacho;
     if (ent !== null) {
       entMacho = plist.parse(ent.toString().trim());
+      entMacho = this.addEntitlementsSync(entMacho);
       this.debugInfo(file, 'fullPath', file);
       this.debugInfo(file, 'oldEntitlements', entMacho || 'TODO');
       if (this.config.selfSignedProvision) {

diff --git a/lib/config.js b/lib/config.js
@@ -78,6 +78,7 @@ const helpMessage = `Usage:
   -c, --clone-entitlements      Clone the entitlements from the provisioning to the bin
   -e, --entitlements [ENTITL]   Specify entitlements file (EXPERIMENTAL)
   -E, --entry-entitlement       Use generic entitlement (EXPERIMENTAL)
+  -N, --add-entitlements [FILE] Append entitlements from file (EXPERIMENTAL)
   -M, --massage-entitlements    Massage entitlements to remove privileged ones
   -t, --without-get-task-allow  Do not set the get-task-allow entitlement (EXPERIMENTAL)
   -C, --no-entitlements-file    Do not create .entitlements file in the IPA
@@ -150,6 +151,7 @@ const fromOptions = function (opt) {
     all: opt.all || false,
     allDirs: opt.allDirs || true,
     allowHttp: opt.allowHttp || false,
+    addEntitlements: opt.addEntitlements || undefined,
     bundleIdKeychainGroup: opt.bundleIdKeychainGroup || false,
     bundleid: opt.bundleid || undefined,
     cloneEntitlements: opt.cloneEntitlements || false,
@@ -245,6 +247,7 @@ function compile (conf) {
     all: conf.a || conf.all || false,
     allDirs: conf['all-dirs'] || conf.A,
     allowHttp: conf['allow-http'] || conf.H,
+    addEntitlements: conf['add-entitlements'] || conf.N,
     bundleIdKeychainGroup: conf.B || conf['bundleid-access-group'],
     bundleid: conf.bundleid || conf.b,
     cloneEntitlements: conf.c || conf['clone-entitlements'],