Fix TestFlight errors caused by desktop_proxy (#10928)

* Add info.plist and enable app-sandbox

* Log available identities

* Fix cert selection

* Remove comment

apps/desktop/desktop_native/Cargo.lock

@@ -555,6 +555,7 @@ version = "0.0.0"
 dependencies = [
  "anyhow",
  "desktop_core",
+ "embed_plist",
  "futures",
  "log",
  "simplelog",
@@ -614,6 +615,12 @@ version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "75b325c5dbd37f80359721ad39aca5a29fb04c89279657cffdda8736d0c0b9d2"
 
+[[package]]
+name = "embed_plist"
+version = "1.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ef6b89e5b37196644d8796de5268852ff179b44e96276cf4290264843743bb7"
+
 [[package]]
 name = "endi"
 version = "1.1.0"

apps/desktop/desktop_native/proxy/Cargo.toml

@@ -14,3 +14,6 @@ log = "0.4.21"
 simplelog = "0.12.2"
 tokio = { version = "1.38.0", features = ["io-std", "io-util", "macros", "rt"] }
 tokio-util = { version = "0.7.11", features = ["codec"] }
+
+[target.'cfg(target_os = "macos")'.dependencies]
+embed_plist = "1.2.2"

apps/desktop/desktop_native/proxy/src/main.rs

@@ -5,6 +5,9 @@ use futures::{SinkExt, StreamExt};
 use log::*;
 use tokio_util::codec::LengthDelimitedCodec;
 
+#[cfg(target_os = "macos")]
+embed_plist::embed_info_plist!("../../../resources/info.desktop_proxy.plist");
+
 fn init_logging(log_path: &Path, level: log::LevelFilter) {
     use simplelog::{ColorChoice, CombinedLogger, Config, SharedLogger, TermLogger, TerminalMode};
 

apps/desktop/resources/entitlements.desktop_proxy.plist

@@ -6,6 +6,8 @@
 	<string>LTZ2PFU5D6.com.bitwarden.desktop</string>
 	<key>com.apple.developer.team-identifier</key>
 	<string>LTZ2PFU5D6</string>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
 	<key>com.apple.security.application-groups</key>
 	<array>
 		<string>LTZ2PFU5D6.com.bitwarden.desktop</string>

apps/desktop/resources/info.desktop_proxy.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+	<dict>
+		<key>CFBundleIdentifier</key>
+		<string>com.bitwarden.desktop</string>
+		<key>LSMinimumSystemVersion</key>
+		<string>10.15</string>
+	</dict>
+</plist>

apps/desktop/scripts/after-pack.js

@@ -33,13 +33,32 @@ async function run(context) {
   }
 
   if (["darwin", "mas"].includes(context.electronPlatformName)) {
-    const identities = getIdentities(process.env.CSC_NAME ?? "");
+    const is_mas = context.electronPlatformName === "mas";
+    const is_mas_dev = context.targets.some((e) => e.name === "mas-dev");
+
+    let id;
+
+    // Only use the Bitwarden Identities on CI
+    if (process.env.GITHUB_ACTIONS === "true") {
+      if (is_mas) {
+        id = is_mas_dev
+          ? "E7C9978F6FBCE0553429185C405E61F5380BE8EB"
+          : "3rd Party Mac Developer Application: Bitwarden Inc";
+      } else {
+        id = "Developer ID Application: 8bit Solutions LLC";
+      }
+      // Locally, use the first valid code signing identity, unless CSC_NAME is set
+    } else if (process.env.CSC_NAME) {
+      id = process.env.CSC_NAME;
+    } else {
+      const identities = getIdentities();
       if (identities.length === 0) {
         throw new Error("No valid identities found");
       }
-    const id = identities[0].id;
+      id = identities[0].id;
+    }
 
-    console.log("Signing proxy binary before the main bundle, using identity", id);
+    console.log(`Signing proxy binary before the main bundle, using identity '${id}'`);
 
     const appName = context.packager.appInfo.productFilename;
     const appPath = `${context.appOutDir}/${appName}.app`;
@@ -49,7 +68,7 @@ async function run(context) {
     const entitlementsName = "entitlements.desktop_proxy.plist";
     const entitlementsPath = path.join(__dirname, "..", "resources", entitlementsName);
     child_process.execSync(
-      `codesign -s ${id} -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
+      `codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
     );
   }
 }
@@ -66,7 +85,7 @@ const appleCertificatePrefixes = [
   "Apple Development:",
 ];
 
-function getIdentities(csc_name) {
+function getIdentities() {
   const ids = child_process
     .execSync("/usr/bin/security find-identity -v -p codesigning")
     .toString();
@@ -81,7 +100,6 @@ function getIdentities(csc_name) {
       }
       return false;
     })
-    .filter((line) => line.includes(csc_name))
     .map((line) => {
       const split = line.trim().split(" ");
       const id = split[1];