cicy-desktop 2.1.153 → 2.1.154
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json
CHANGED
|
@@ -7,47 +7,10 @@ APP="/Applications/CiCy Desktop.app"
|
|
|
7
7
|
[ -d "$APP" ] || exit 0
|
|
8
8
|
/usr/bin/xattr -dr com.apple.quarantine "$APP" 2>/dev/null || true
|
|
9
9
|
/usr/bin/xattr -cr "$APP" 2>/dev/null || true
|
|
10
|
-
|
|
11
|
-
#
|
|
12
|
-
#
|
|
13
|
-
|
|
14
|
-
# requirement, so the grant sticks after the user allows it once. We run as root here,
|
|
15
|
-
# so we can write the System keychain + trust the cert with NO password prompt.
|
|
16
|
-
SIGN_CN="CiCy Desktop Local Signing"
|
|
17
|
-
SYS_KC="/Library/Keychains/System.keychain"
|
|
18
|
-
if ! /usr/bin/security find-identity -p codesigning "$SYS_KC" 2>/dev/null | grep -qF "$SIGN_CN"; then
|
|
19
|
-
TMPD="$(/usr/bin/mktemp -d)"
|
|
20
|
-
# Config file (portable across the LibreSSL that ships in /usr/bin/openssl, which
|
|
21
|
-
# lacks `-addext`). codeSigning EKU is what makes it a valid signing identity.
|
|
22
|
-
cat > "$TMPD/c.cnf" <<CNF
|
|
23
|
-
[req]
|
|
24
|
-
distinguished_name = dn
|
|
25
|
-
x509_extensions = v3
|
|
26
|
-
prompt = no
|
|
27
|
-
[dn]
|
|
28
|
-
CN = $SIGN_CN
|
|
29
|
-
[v3]
|
|
30
|
-
basicConstraints = critical,CA:false
|
|
31
|
-
keyUsage = critical,digitalSignature
|
|
32
|
-
extendedKeyUsage = critical,codeSigning
|
|
33
|
-
CNF
|
|
34
|
-
/usr/bin/openssl req -x509 -newkey rsa:2048 -keyout "$TMPD/k.pem" -out "$TMPD/c.pem" \
|
|
35
|
-
-days 3650 -nodes -config "$TMPD/c.cnf" >/dev/null 2>&1
|
|
36
|
-
/usr/bin/openssl pkcs12 -export -inkey "$TMPD/k.pem" -in "$TMPD/c.pem" \
|
|
37
|
-
-out "$TMPD/id.p12" -passout pass:cicy -name "$SIGN_CN" >/dev/null 2>&1
|
|
38
|
-
# -A = no ACL on the key → codesign can use it without a partition-list/password dance.
|
|
39
|
-
/usr/bin/security import "$TMPD/id.p12" -k "$SYS_KC" -P cicy -A >/dev/null 2>&1 || true
|
|
40
|
-
/usr/bin/security add-trusted-cert -d -r trustRoot -p codeSign -k "$SYS_KC" "$TMPD/c.pem" >/dev/null 2>&1 || true
|
|
41
|
-
/bin/rm -rf "$TMPD"
|
|
42
|
-
fi
|
|
43
|
-
if /usr/bin/security find-identity -p codesigning "$SYS_KC" 2>/dev/null | grep -qF "$SIGN_CN"; then
|
|
44
|
-
/usr/bin/codesign --force --deep --sign "$SIGN_CN" --keychain "$SYS_KC" "$APP" 2>/dev/null \
|
|
45
|
-
&& echo "signed with local identity: $SIGN_CN" \
|
|
46
|
-
|| /usr/bin/codesign --force --deep --sign - "$APP" 2>/dev/null || true
|
|
47
|
-
else
|
|
48
|
-
echo "local identity unavailable — falling back to ad-hoc"
|
|
49
|
-
/usr/bin/codesign --force --deep --sign - "$APP" 2>/dev/null || true
|
|
50
|
-
fi
|
|
10
|
+
# Re-ad-hoc-sign so the app opens with no Apple cert. (A self-signed cert was tried to
|
|
11
|
+
# make the Screen-Recording grant persist — it did sign, but macOS 15 still re-prompts
|
|
12
|
+
# without an Apple Team ID, so it was dropped; desktop capture is OFF by default on mac.)
|
|
13
|
+
/usr/bin/codesign --force --deep --sign - "$APP" 2>/dev/null || true
|
|
51
14
|
|
|
52
15
|
# Desktop shortcut for the logged-in user (postinstall runs as root, so resolve the
|
|
53
16
|
# console user + their home and chown the symlink to them). Launchpad/Spotlight pick
|
|
@@ -35,12 +35,15 @@ function snapDir() {
|
|
|
35
35
|
|
|
36
36
|
// Is desktop screen capture allowed here? Single source of truth shared by the
|
|
37
37
|
// periodic daemon (main.js) AND the on-demand `desktop_snapshot` tool's live fallback.
|
|
38
|
-
//
|
|
39
|
-
//
|
|
40
|
-
//
|
|
41
|
-
// the
|
|
38
|
+
// OFF by default on macOS: any capture trips the Screen-Recording prompt, and macOS 15
|
|
39
|
+
// won't persist the grant for a non-Apple-Team-ID signature (ad-hoc AND a self-signed
|
|
40
|
+
// cert both re-prompt — verified). So unless you ship an Apple Developer-ID + notarized
|
|
41
|
+
// build, the only way to "no prompts" is to not capture. Opt in with CICY_DESKTOP_SNAPSHOT=1.
|
|
42
|
+
// win/linux are ON by default (no such prompt); opt out with =0.
|
|
42
43
|
function snapshotEnabled() {
|
|
43
|
-
return process.
|
|
44
|
+
return process.platform === "darwin"
|
|
45
|
+
? process.env.CICY_DESKTOP_SNAPSHOT === "1"
|
|
46
|
+
: process.env.CICY_DESKTOP_SNAPSHOT !== "0";
|
|
44
47
|
}
|
|
45
48
|
|
|
46
49
|
function intervalMs(opt) {
|