mirror of
https://github.com/LibreOffice/core.git
synced 2025-07-20 18:18:30 +00:00
14b5fa6d6c
the parent-launch constraints worked for their intended purpose, but for the wrong reason. External launches weren't blocked because the parent didn't match the constraints, but because the parent didn't have stuff defined/stuff that the OS didn't recognize. And that then also blocked the xpdfimport helper, which is used to import PDFs into LibreOffice. The parent-constraints are set via the --launch-constraint-parent flag when running codesign, but was also added as an additional dict layer in the plist file, and that apparently is not valid, but still accepted. In Console.app, the block should be logged with c[4]p[2]m[1]e[0], (Constraint not matched) constraint identifier 4, i.e. launch constraint process identifier 2, i.e. related to the parent process match result 1, i.e. the launch constraints not matched error code 0, i.e. no error instead it was c[4]p[2]m[5]e[5], (parent-constraints) a generic parent-constraints error with match result 5, "The operating system couldn’t match the executable file with the constraint, because the constraint contains a non-optional fact that isn’t defined for the executable file." so far no difference to the expected validation error, but the error code is 5, "The launch constraint contains a fact that the operating system doesn’t recognize." So even LibreOffice itself didn't qualify as a parent process and the xpdfimport helper was blocked. see also: https://developer.apple.com/documentation/security/applying-launch-environment-and-library-constraints Change-Id: I0debdb87f04a69f58fcb543d027bdc3b9a4ea0cc Reviewed-on: https://gerrit.libreoffice.org/c/core/+/187412 Tested-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com> Reviewed-by: Christian Lohmaier <lohmaier+LibreOffice@googlemail.com>