From 61dfe7fbaa592785353348a16abd1525dcbfaf28 Mon Sep 17 00:00:00 2001
From: David Brooks <dbrnz@users.noreply.github.com>
Date: Wed, 24 Jan 2024 09:37:52 +1300
Subject: [PATCH] fix: Use fully-defined path `/usr/bin/___` to macOS signing
 utilities (#7998)

---
 .changeset/thirty-bobcats-beg.md              |  5 +++++
 .../src/codeSign/macCodeSign.ts               | 20 +++++++++----------
 2 files changed, 15 insertions(+), 10 deletions(-)
 create mode 100644 .changeset/thirty-bobcats-beg.md

diff --git a/.changeset/thirty-bobcats-beg.md b/.changeset/thirty-bobcats-beg.md
new file mode 100644
index 00000000000..13f8df29079
--- /dev/null
+++ b/.changeset/thirty-bobcats-beg.md
@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+Use full path to macOS signing utilities
diff --git a/packages/app-builder-lib/src/codeSign/macCodeSign.ts b/packages/app-builder-lib/src/codeSign/macCodeSign.ts
index f0cf349ed46..f9110ee2e78 100644
--- a/packages/app-builder-lib/src/codeSign/macCodeSign.ts
+++ b/packages/app-builder-lib/src/codeSign/macCodeSign.ts
@@ -87,7 +87,7 @@ export async function reportError(
   }
 
   if (qualifier != null || isAutoDiscoveryCodeSignIdentity()) {
-    logFields.allIdentities = (await exec("security", args))
+    logFields.allIdentities = (await exec("/usr/bin/security", args))
       .trim()
       .split("\n")
       .filter(it => !(it.includes("Policy: X.509 Basic") || it.includes("Matching identities")))
@@ -116,7 +116,7 @@ const bundledCertKeychainAdded = new Lazy<void>(async () => {
   ])
   const list = results[0]
   if (!list.includes(keychainPath)) {
-    await exec("security", ["list-keychains", "-d", "user", "-s", keychainPath].concat(list))
+    await exec("/usr/bin/security", ["list-keychains", "-d", "user", "-s", keychainPath].concat(list))
   }
 })
 
@@ -126,7 +126,7 @@ function getCacheDirectory(): string {
 }
 
 function listUserKeychains(): Promise<Array<string>> {
-  return exec("security", ["list-keychains", "-d", "user"]).then(it =>
+  return exec("/usr/bin/security", ["list-keychains", "-d", "user"]).then(it =>
     it
       .split("\n")
       .map(it => {
@@ -147,7 +147,7 @@ export interface CreateKeychainOptions {
 }
 
 export function removeKeychain(keychainFile: string, printWarn = true): Promise<any> {
-  return exec("security", ["delete-keychain", keychainFile]).catch((e: any) => {
+  return exec("/usr/bin/security", ["delete-keychain", keychainFile]).catch((e: any) => {
     if (printWarn) {
       log.warn({ file: keychainFile, error: e.stack || e }, "cannot delete keychain")
     }
@@ -193,7 +193,7 @@ export async function createKeychain({ tmpDir, cscLink, cscKeyPassword, cscILink
   await Promise.all([
     // we do not clear downloaded files - will be removed on tmpDir cleanup automatically. not a security issue since in any case data is available as env variables and protected by password.
     BluebirdPromise.map(certLinks, (link, i) => importCertificate(link, tmpDir, currentDir).then(it => (certPaths[i] = it))),
-    BluebirdPromise.mapSeries(securityCommands, it => exec("security", it)),
+    BluebirdPromise.mapSeries(securityCommands, it => exec("/usr/bin/security", it)),
   ])
   return await importCerts(keychainFile, certPaths, [cscKeyPassword, cscIKeyPassword].filter(it => it != null) as Array<string>)
 }
@@ -201,11 +201,11 @@ export async function createKeychain({ tmpDir, cscLink, cscKeyPassword, cscILink
 async function importCerts(keychainFile: string, paths: Array<string>, keyPasswords: Array<string>): Promise<CodeSigningInfo> {
   for (let i = 0; i < paths.length; i++) {
     const password = keyPasswords[i]
-    await exec("security", ["import", paths[i], "-k", keychainFile, "-T", "/usr/bin/codesign", "-T", "/usr/bin/productbuild", "-P", password])
+    await exec("/usr/bin/security", ["import", paths[i], "-k", keychainFile, "-T", "/usr/bin/codesign", "-T", "/usr/bin/productbuild", "-P", password])
 
     // https://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p
     // https://github.com/electron-userland/electron-packager/issues/701#issuecomment-322315996
-    await exec("security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainFile])
+    await exec("/usr/bin/security", ["set-key-partition-list", "-S", "apple-tool:,apple:", "-s", "-k", password, keychainFile])
   }
 
   return {
@@ -219,7 +219,7 @@ export function sign(path: string, name: string, keychain: string): Promise<any>
   if (keychain != null) {
     args.push("--keychain", keychain)
   }
-  return exec("codesign", args)
+  return exec("/usr/bin/codesign", args)
 }
 
 export let findIdentityRawResult: Promise<Array<string>> | null = null
@@ -237,7 +237,7 @@ async function getValidIdentities(keychain?: string | null): Promise<Array<strin
     // https://github.com/electron-userland/electron-builder/issues/481
     // https://github.com/electron-userland/electron-builder/issues/535
     result = Promise.all<Array<string>>([
-      exec("security", addKeychain(["find-identity", "-v"])).then(it =>
+      exec("/usr/bin/security", addKeychain(["find-identity", "-v"])).then(it =>
         it
           .trim()
           .split("\n")
@@ -250,7 +250,7 @@ async function getValidIdentities(keychain?: string | null): Promise<Array<strin
             return false
           })
       ),
-      exec("security", addKeychain(["find-identity", "-v", "-p", "codesigning"])).then(it => it.trim().split("\n")),
+      exec("/usr/bin/security", addKeychain(["find-identity", "-v", "-p", "codesigning"])).then(it => it.trim().split("\n")),
     ]).then(it => {
       const array = it[0]
         .concat(it[1])