Disable sandboxing for downloader XPC service by default (#2511)

Configurations/ConfigCommon.xcconfig

@@ -76,7 +76,27 @@ XPC_SERVICE_BUNDLE_ID_PREFIX = org.sparkle-project
 INSTALLER_CONNECTION_BUNDLE_ID = ${XPC_SERVICE_BUNDLE_ID_PREFIX}.InstallerConnection
 INSTALLER_STATUS_BUNDLE_ID = ${XPC_SERVICE_BUNDLE_ID_PREFIX}.InstallerStatus
 INSTALLER_LAUNCHER_BUNDLE_ID = ${XPC_SERVICE_BUNDLE_ID_PREFIX}.InstallerLauncher
-DOWNLOADER_BUNDLE_ID = ${XPC_SERVICE_BUNDLE_ID_PREFIX}.Downloader
+DOWNLOADER_BUNDLE_ID = ${XPC_SERVICE_BUNDLE_ID_PREFIX}.DownloaderService
+
+// Initialize sandboxed entitlements variables to use no entitlements
+// Don't modify these. See commented out section below instead.
+DOWNLOADER_SANDBOXED_ENTITLEMENTS =
+INSTALLER_CONNECTION_ENTITLEMENTS =
+INSTALLER_STATUS_ENTITLEMENTS =
+
+// The Downloader XPC Service is not sandboxed by default.
+// Uncomment this line to enable Sandboxing for this service.
+// If this is done, you *must* set a custom XPC_SERVICE_BUNDLE_ID_PREFIX for your app above.
+// Otherwise sandboxed apps that use the same sandboxed Downloader Service may conflict with each other.
+
+//DOWNLOADER_SANDBOXED_ENTITLEMENTS = Downloader/Downloader.entitlements
+
+// Similar to the Downloader XPC Service, uncomment these lines if you want to sandbox the Connection/Status services
+// If this is done, you *must* set a custom XPC_SERVICE_BUNDLE_ID_PREFIX for your app above.
+
+//INSTALLER_CONNECTION_ENTITLEMENTS = InstallerConnection/InstallerConnection.entitlements
+//INSTALLER_STATUS_ENTITLEMENTS = InstallerStatus/InstallerStatus.entitlements
+
 
 // If your app file on disk is named "MyApp 1.1b4", Sparkle usually updates it
 // in place, giving you an app named 1.1b4 that is actually 1.2. Turn the

Configurations/ConfigDownloader.xcconfig

@@ -4,6 +4,6 @@ INFOPLIST_FILE = Downloader/Info.plist
 WRAPPER_EXTENSION = xpc
 PRODUCT_BUNDLE_IDENTIFIER = ${DOWNLOADER_BUNDLE_ID}
 PRODUCT_NAME = ${DOWNLOADER_NAME}
-CODE_SIGN_ENTITLEMENTS = Downloader/org.sparkle-project.Downloader.entitlements
+CODE_SIGN_ENTITLEMENTS = $(DOWNLOADER_SANDBOXED_ENTITLEMENTS)
 GCC_PREPROCESSOR_DEFINITIONS = $(GCC_PREPROCESSOR_DEFINITIONS) BUILDING_SPARKLE_SOURCES_EXTERNALLY=1
 CLANG_MODULES_AUTOLINK = NO

Configurations/ConfigInstallerConnection.xcconfig

@@ -4,5 +4,6 @@ INFOPLIST_FILE = InstallerConnection/Info.plist
 WRAPPER_EXTENSION = xpc
 PRODUCT_BUNDLE_IDENTIFIER = ${INSTALLER_CONNECTION_BUNDLE_ID}
 PRODUCT_NAME = ${INSTALLER_CONNECTION_NAME}
+CODE_SIGN_ENTITLEMENTS = $(INSTALLER_CONNECTION_ENTITLEMENTS)
 GCC_PREPROCESSOR_DEFINITIONS = $(GCC_PREPROCESSOR_DEFINITIONS) BUILDING_SPARKLE_SOURCES_EXTERNALLY=1
 CLANG_MODULES_AUTOLINK = NO

Configurations/ConfigInstallerStatus.xcconfig

@@ -4,5 +4,6 @@ INFOPLIST_FILE = InstallerStatus/Info.plist
 WRAPPER_EXTENSION = xpc
 PRODUCT_BUNDLE_IDENTIFIER = ${INSTALLER_STATUS_BUNDLE_ID}
 PRODUCT_NAME = ${INSTALLER_STATUS_NAME}
+CODE_SIGN_ENTITLEMENTS = $(INSTALLER_STATUS_ENTITLEMENTS)
 GCC_PREPROCESSOR_DEFINITIONS = $(GCC_PREPROCESSOR_DEFINITIONS) BUILDING_SPARKLE=0 BUILDING_SPARKLE_SOURCES_EXTERNALLY=1
 CLANG_MODULES_AUTOLINK = NO

Configurations/make-release-package.sh

@@ -45,14 +45,6 @@ if [ "$ACTION" = "" ] ; then
     cp -R "$CONFIGURATION_BUILD_DIR/sparkle.app" "$CONFIGURATION_BUILD_DIR/staging"
     cp -R "$CONFIGURATION_BUILD_DIR/Sparkle.framework" "$CONFIGURATION_BUILD_DIR/staging"
     cp -R "$CONFIGURATION_BUILD_DIR/Sparkle.xcframework" "$CONFIGURATION_BUILD_DIR/staging-spm"
-
-    if [[ "$SPARKLE_EMBED_DOWNLOADER_XPC_SERVICE" -eq 1 ]]; then
-        mkdir -p "$CONFIGURATION_BUILD_DIR/staging/Entitlements"
-        mkdir -p "$CONFIGURATION_BUILD_DIR/staging-spm/Entitlements"
-
-        cp -R "$PROJECT_DIR/Downloader/org.sparkle-project.Downloader.entitlements" "$CONFIGURATION_BUILD_DIR/staging/Entitlements/$DOWNLOADER_NAME.entitlements"
-        cp -R "$PROJECT_DIR/Downloader/org.sparkle-project.Downloader.entitlements" "$CONFIGURATION_BUILD_DIR/staging-spm/Entitlements/$DOWNLOADER_NAME.entitlements"
-    fi
 
     mkdir -p "$CONFIGURATION_BUILD_DIR/staging/Symbols"
 

Sparkle.podspec

@@ -22,7 +22,7 @@ Pod::Spec.new do |s|
   s.source   = { :http => "https://github.com/sparkle-project/Sparkle/releases/download/#{s.version}/Sparkle-#{s.version}.tar.xz" }
   s.source_files = 'Sparkle.framework/Versions/B/Headers/*.h'
 
-  s.preserve_paths = ['bin/*', 'Entitlements', 'Symbols']
+  s.preserve_paths = ['bin/*', 'Symbols']
   s.public_header_files = 'Sparkle.framework/Versions/B/Headers/*.h'
   s.vendored_frameworks  = 'Sparkle.framework'
   s.xcconfig            = {

Sparkle.xcodeproj/project.pbxproj

@@ -1055,8 +1055,8 @@
 		7214B8851D45AD9A00CB5CED /* SPUInstallationType.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SPUInstallationType.h; sourceTree = "<group>"; };
 		72162B071C82C9600013C1C5 /* SULocalizations.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SULocalizations.h; sourceTree = "<group>"; };
 		721652671D3C8FED00FD13D8 /* SUInstallerLauncherStatus.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; name = SUInstallerLauncherStatus.h; path = InstallerLauncher/SUInstallerLauncherStatus.h; sourceTree = SOURCE_ROOT; };
-		7218EC362623F31C008FECF3 /* org.sparkle-project.InstallerConnection.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "org.sparkle-project.InstallerConnection.entitlements"; sourceTree = "<group>"; };
-		7218EC372623F32E008FECF3 /* org.sparkle-project.InstallerStatus.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "org.sparkle-project.InstallerStatus.entitlements"; sourceTree = "<group>"; };
+		7218EC362623F31C008FECF3 /* InstallerConnection.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = InstallerConnection.entitlements; sourceTree = "<group>"; };
+		7218EC372623F32E008FECF3 /* InstallerStatus.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = InstallerStatus.entitlements; sourceTree = "<group>"; };
 		721AB11626C777D900D34A86 /* SPUDownloadDataPrivate.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = SPUDownloadDataPrivate.h; sourceTree = "<group>"; };
 		721BC2061D17A532002BC71E /* CoreFoundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = CoreFoundation.framework; path = System/Library/Frameworks/CoreFoundation.framework; sourceTree = SDKROOT; };
 		721BC2081D17A553002BC71E /* Carbon.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Carbon.framework; path = System/Library/Frameworks/Carbon.framework; sourceTree = SDKROOT; };
@@ -1343,7 +1343,7 @@
 		728ED349277DA23400D9238F /* SPUSparkleDeltaArchive.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; name = SPUSparkleDeltaArchive.m; path = Autoupdate/SPUSparkleDeltaArchive.m; sourceTree = SOURCE_ROOT; };
 		729924921DF4A45000DBCDF5 /* SUUpdateValidator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = SUUpdateValidator.h; path = Sparkle/SUUpdateValidator.h; sourceTree = SOURCE_ROOT; };
 		729924931DF4A45000DBCDF5 /* SUUpdateValidator.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; name = SUUpdateValidator.m; path = Sparkle/SUUpdateValidator.m; sourceTree = SOURCE_ROOT; };
-		729BB3D11D503826007C4276 /* org.sparkle-project.Downloader.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.xml; name = "org.sparkle-project.Downloader.entitlements"; path = "Downloader/org.sparkle-project.Downloader.entitlements"; sourceTree = SOURCE_ROOT; };
+		729BB3D11D503826007C4276 /* Downloader.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; name = Downloader.entitlements; path = Downloader/Downloader.entitlements; sourceTree = SOURCE_ROOT; };
 		729F10FD1C65A9B500DFCCC5 /* ConfigUITest.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = ConfigUITest.xcconfig; sourceTree = "<group>"; };
 		729F10FE1C65A9B500DFCCC5 /* ConfigUITestCoverage.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = ConfigUITestCoverage.xcconfig; sourceTree = "<group>"; };
 		729F7EAB27366353004592DC /* test-links.xml */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.xml; path = "test-links.xml"; sourceTree = "<group>"; };
@@ -2233,7 +2233,7 @@
 				724BB36E1D31D0B7005D534A /* SUInstallerConnectionProtocol.h */,
 				724BB3851D32A167005D534A /* SUXPCInstallerConnection.h */,
 				724BB3861D32A167005D534A /* SUXPCInstallerConnection.m */,
-				7218EC362623F31C008FECF3 /* org.sparkle-project.InstallerConnection.entitlements */,
+				7218EC362623F31C008FECF3 /* InstallerConnection.entitlements */,
 			);
 			name = InstallerConnection;
 			path = ../InstallerConnection;
@@ -2250,7 +2250,7 @@
 				7267E5DD1D3D8F5A00D1BF90 /* SUStatusInfoProtocol.h */,
 				724BB3A61D33461B005D534A /* SUXPCInstallerStatus.h */,
 				724BB3A71D33461B005D534A /* SUXPCInstallerStatus.m */,
-				7218EC372623F32E008FECF3 /* org.sparkle-project.InstallerStatus.entitlements */,
+				7218EC372623F32E008FECF3 /* InstallerStatus.entitlements */,
 			);
 			name = InstallerStatus;
 			path = ../InstallerStatus;
@@ -2312,7 +2312,7 @@
 			children = (
 				723B5D9F1CF7AB0100365F95 /* Info.plist */,
 				723B5DA01CF7AB0100365F95 /* main.m */,
-				729BB3D11D503826007C4276 /* org.sparkle-project.Downloader.entitlements */,
+				729BB3D11D503826007C4276 /* Downloader.entitlements */,
 				723B5DA21CF7AB0100365F95 /* SPUDownloader.h */,
 				723B5DA31CF7AB0100365F95 /* SPUDownloader.m */,
 				723B5DA41CF7AB0100365F95 /* SPUDownloaderDelegate.h */,