diff --git a/CHANGELOG.md b/CHANGELOG.md index 67c91a3..79d3032 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ and this project does adhere to [Semantic Versioning](https://semver.org/spec/v2 - Welcome message also adds Github releases feed - Associate OPML files (double click and right click actions in Finder) - Quick Look preview for OPML files +- Sandboxing & hardened runtime environment ### Fixed - *Adding feed:* Show users any 5xx server error response and extracted failure reason diff --git a/README.md b/README.md index dfb0633..36a99e5 100644 --- a/README.md +++ b/README.md @@ -83,17 +83,16 @@ With this Terminal command you can customize this number: ToDo ---- -- [ ] Missing - - [ ] App Icon & UI icons (a shout out to all designers out there!) - - [ ] Text / UI localization - - [ ] Feeds with authentication - - [ ] Sandbox (does work, except for:) - - [ ] Default RSS application checkbox (disable or other workaround) +- [ ] Localizations +- [x] Sandbox + - [ ] Default RSS application checkbox (disable or other workaround) - [ ] Nice to have (... on increased demand) + - [ ] Feed Generator for websites without feeds - [ ] Automatically choose best update interval (e.g., avg) - [ ] Sync with online services + - [ ] Feeds with authentication - [ ] Notification Center - [ ] Distraction Mode - [ ] Distract less: Sleep timer. (e.g., disable updates during working hours) diff --git a/baRSS.xcodeproj/project.pbxproj b/baRSS.xcodeproj/project.pbxproj index c126378..f74f2da 100644 --- a/baRSS.xcodeproj/project.pbxproj +++ b/baRSS.xcodeproj/project.pbxproj @@ -33,6 +33,7 @@ 54ACC29821061FBA0020715F /* Preferences.m in Sources */ = {isa = PBXBuildFile; fileRef = 54ACC29721061FBA0020715F /* Preferences.m */; }; 54AD4E0023005297000AE386 /* WebFeed.m in Sources */ = {isa = PBXBuildFile; fileRef = 54AD4DFF23005297000AE386 /* WebFeed.m */; }; 54AD4E0C2301853D000AE386 /* NSString+Ext.m in Sources */ = {isa = PBXBuildFile; fileRef = 54AD4E0B2301853D000AE386 /* NSString+Ext.m */; }; + 54AD4EE72305B17D000AE386 /* container-migration.plist in Resources */ = {isa = PBXBuildFile; fileRef = 54AD4EE62305B17D000AE386 /* container-migration.plist */; }; 54B51704226DC339006C1B29 /* ModalFeedEditView.m in Sources */ = {isa = PBXBuildFile; fileRef = 54B51703226DC339006C1B29 /* ModalFeedEditView.m */; }; 54B517072270E990006C1B29 /* NSView+Ext.m in Sources */ = {isa = PBXBuildFile; fileRef = 54B517062270E92A006C1B29 /* NSView+Ext.m */; }; 54B749DA2204A85C0022CC6D /* BarStatusItem.m in Sources */ = {isa = PBXBuildFile; fileRef = 54B749D92204A85C0022CC6D /* BarStatusItem.m */; }; @@ -145,6 +146,8 @@ 54AD4DFF23005297000AE386 /* WebFeed.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = WebFeed.m; sourceTree = ""; }; 54AD4E0A2301853D000AE386 /* NSString+Ext.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "NSString+Ext.h"; sourceTree = ""; }; 54AD4E0B2301853D000AE386 /* NSString+Ext.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = "NSString+Ext.m"; sourceTree = ""; }; + 54AD4EE42305AF60000AE386 /* baRSS.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = baRSS.entitlements; sourceTree = ""; }; + 54AD4EE62305B17D000AE386 /* container-migration.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "container-migration.plist"; sourceTree = ""; }; 54B51702226DC339006C1B29 /* ModalFeedEditView.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = ModalFeedEditView.h; sourceTree = ""; }; 54B51703226DC339006C1B29 /* ModalFeedEditView.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = ModalFeedEditView.m; sourceTree = ""; }; 54B517052270E8C6006C1B29 /* NSView+Ext.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = "NSView+Ext.h"; sourceTree = ""; }; @@ -290,6 +293,7 @@ 54ACC27E21061B3B0020715F /* baRSS */ = { isa = PBXGroup; children = ( + 54AD4EE42305AF60000AE386 /* baRSS.entitlements */, 544B011B2114EE9100386E5C /* AppHook.h */, 544B011C2114EE9100386E5C /* AppHook.m */, 541958872190FF1200581B79 /* Constants.h */, @@ -301,6 +305,7 @@ 54ACC28A21061B3C0020715F /* Info.plist */, 54F7101322EE0DDA006985D1 /* Artwork */, 54ACC28B21061B3C0020715F /* main.m */, + 54AD4EE62305B17D000AE386 /* container-migration.plist */, 54ACC28221061B3B0020715F /* DBv1.xcdatamodeld */, ); path = baRSS; @@ -405,6 +410,7 @@ 54CE4D4522EF509400E89C16 /* CopyFiles */, 544DCCBC212A2B5A002DBC46 /* CopyFiles */, 543964EE2215C27B0016AAA3 /* ShellScript */, + 54FB05D12305BFAB00A088AD /* ShellScript */, ); buildRules = ( ); @@ -431,8 +437,11 @@ com.apple.ApplicationGroups.Mac = { enabled = 0; }; + com.apple.HardenedRuntime = { + enabled = 1; + }; com.apple.Sandbox = { - enabled = 0; + enabled = 1; }; }; }; @@ -478,6 +487,7 @@ buildActionMask = 2147483647; files = ( 54BF444A22D0F4F300660096 /* AppIcon.icns in Resources */, + 54AD4EE72305B17D000AE386 /* container-migration.plist in Resources */, 54E3C02122EE076D006E2E24 /* opml-icon.icns in Resources */, ); runOnlyForDeploymentPostprocessing = 0; @@ -502,6 +512,24 @@ shellPath = /bin/sh; shellScript = "# https://crunchybagel.com/auto-incrementing-build-numbers-in-xcode/\nbuildNumber=$(/usr/libexec/PlistBuddy -c \"Print CFBundleVersion\" \"${PROJECT_DIR}/${INFOPLIST_FILE}\")\nbuildNumber=$(($buildNumber + 1))\n/usr/libexec/PlistBuddy -c \"Set :CFBundleVersion $buildNumber\" \"${PROJECT_DIR}/${INFOPLIST_FILE}\"\n"; }; + 54FB05D12305BFAB00A088AD /* ShellScript */ = { + isa = PBXShellScriptBuildPhase; + buildActionMask = 2147483647; + files = ( + ); + inputFileListPaths = ( + ); + inputPaths = ( + ); + outputFileListPaths = ( + ); + outputPaths = ( + ); + runOnlyForDeploymentPostprocessing = 0; + shellPath = /bin/sh; + shellScript = "# replace '$(PRODUCT_NAME)' with actual value\nfile=\"${TARGET_BUILD_DIR}/${UNLOCALIZED_RESOURCES_FOLDER_PATH}/container-migration.plist\"\nsed -i '' \"s/\\$(PRODUCT_NAME)/${PRODUCT_NAME}/\" \"$file\"\n"; + showEnvVarsInLog = 0; + }; /* End PBXShellScriptBuildPhase section */ /* Begin PBXSourcesBuildPhase section */ @@ -674,10 +702,13 @@ CLANG_WARN_OBJC_EXPLICIT_OWNERSHIP_TYPE = YES; CLANG_WARN_OBJC_REPEATED_USE_OF_WEAK = YES; CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES; - CODE_SIGN_STYLE = Manual; + CODE_SIGN_ENTITLEMENTS = baRSS/baRSS.entitlements; + CODE_SIGN_IDENTITY = "Mac Developer"; + CODE_SIGN_STYLE = Automatic; COMBINE_HIDPI_IMAGES = YES; - DEVELOPMENT_TEAM = ""; + DEVELOPMENT_TEAM = UY657LKNHJ; EMBED_ASSET_PACKS_IN_PRODUCT_BUNDLE = NO; + ENABLE_HARDENED_RUNTIME = YES; FRAMEWORK_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)", @@ -722,10 +753,13 @@ CLANG_WARN_OBJC_EXPLICIT_OWNERSHIP_TYPE = YES; CLANG_WARN_OBJC_REPEATED_USE_OF_WEAK = YES; CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION = YES; - CODE_SIGN_STYLE = Manual; + CODE_SIGN_ENTITLEMENTS = baRSS/baRSS.entitlements; + CODE_SIGN_IDENTITY = "Mac Developer"; + CODE_SIGN_STYLE = Automatic; COMBINE_HIDPI_IMAGES = YES; - DEVELOPMENT_TEAM = ""; + DEVELOPMENT_TEAM = UY657LKNHJ; EMBED_ASSET_PACKS_IN_PRODUCT_BUNDLE = NO; + ENABLE_HARDENED_RUNTIME = YES; FRAMEWORK_SEARCH_PATHS = ( "$(inherited)", "$(PROJECT_DIR)", diff --git a/baRSS/Info.plist b/baRSS/Info.plist index bf340b3..145d36d 100644 --- a/baRSS/Info.plist +++ b/baRSS/Info.plist @@ -60,7 +60,7 @@ CFBundleVersion - 10902 + 11016 LSApplicationCategoryType public.app-category.news LSMinimumSystemVersion diff --git a/baRSS/baRSS.entitlements b/baRSS/baRSS.entitlements new file mode 100644 index 0000000..a046386 --- /dev/null +++ b/baRSS/baRSS.entitlements @@ -0,0 +1,12 @@ + + + + + com.apple.security.app-sandbox + + com.apple.security.files.user-selected.read-write + + com.apple.security.network.client + + + diff --git a/baRSS/container-migration.plist b/baRSS/container-migration.plist new file mode 100644 index 0000000..c8fe2b0 --- /dev/null +++ b/baRSS/container-migration.plist @@ -0,0 +1,10 @@ + + + + + Move + + ${ApplicationSupport}/$(PRODUCT_NAME) + + +