Comment 1 Karl Mikaelsson 2014-01-15 13:20:51 CET

It doesn't contain a ssh_known_hosts file either - there's not even a etc/ directory somewhere in the bundle.

Comment 2 Henrik Andersson 2015-09-18 11:02:39 CEST

tlclient have __APPLE__ specific implementation that sets tlclient_prefix to application_bundle_path/Contents which means that we just need to ship a config file under as application_bundle/Contents/etc/tlclient.conf.

Comment 4 Henrik Andersson 2015-09-18 13:20:21 CEST

How is signing of the bundle affecting this. If the configuration file is signed a  administrator can't modified the config for a custom application bundle. Can the file be excluded from signing ?

Comment 6 Peter Åstrand 2015-09-18 14:06:44 CEST

(In reply to comment #4)
> How is signing of the bundle affecting this. If the configuration file is
> signed a  administrator can't modified the config for a custom application
> bundle. Can the file be excluded from signing ?

If I remember correctly, you cannot exclude files from signing. So if you customize the app, the signature will be invalid. I'd say that this is expected. Customers could potentially re-sign with their own certificate if they want. However, in this case, it might be necessary to remove the old signature. Here's some information about that:

http://stackoverflow.com/questions/7500381/bug-in-codesign-remove-signature-feature

Comment 7 Henrik Andersson 2015-09-18 15:39:26 CEST

(In reply to comment #4)
> How is signing of the bundle affecting this. If the configuration file is
> signed a  administrator can't modified the config for a custom application
> bundle. Can the file be excluded from signing ?

To make the exception permanent for just the download ThinLinc bundle application, which disables sign verification, one would right click and choose open on context menu and select open anyways.

This way the quarantine attribute on the bundle is changed from
0002:XX:UUID to 0042:XX:UUID which means the exception lives with the bundle.

Comment 8 Henrik Andersson 2015-09-21 09:03:57 CEST

Redo and cleanup special cases MacOSX to fix BINDIR / SYSCONFIR and PREFIX for a cleaner consistent Makefile.

Comment 13 Henrik Andersson 2015-09-22 11:07:40 CEST

Check if we should document this changes in TAG.

Comment 14 Henrik Andersson 2015-09-22 11:16:57 CEST

(In reply to comment #13)
> Check if we should document this changes in TAG.

There is no information in tag about Mac OS X client configurations and we do have bug 4852 to add this.

Comment 18 Karl Mikaelsson 2015-09-28 11:21:20 CEST

 ✓ tlclient reads tlclient.conf from app bundle
 ✓ documentation is now fine

Comment 19 Henrik Andersson 2015-09-30 08:27:01 CEST

Bug is reopened due to the whole point of doing this work is to support preconfiguration of the ThinLinc client. As noted one can't change the bundled config file without breaking the signature and there is no supported way of removing a signature.

The correct way is to install configuration files in the "Application Support", see bug 5659 for more information, folder which introduces a problem were we don't uses a package installer which can create this file.

"If you used custom resource rules because your installation process relies on  changing the bundle, your app will be rejected by Gatekeeper on first launch. These modifications are not permitted. Using an installation package instead of a drag-install will get you through Gatekeeper."

refs: https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG401

Comment 20 Henrik Andersson 2015-09-30 08:27:01 CEST

Bug is reopened due to the whole point of doing this work is to support preconfiguration of the ThinLinc client. As noted one can't change the bundled config file without breaking the signature and there is no supported way of removing a signature.

The correct way is to install configuration files in the "Application Support", see bug 5659 for more information, folder which introduces a problem were we don't uses a package installer which can create this file.

"If you used custom resource rules because your installation process relies on  changing the bundle, your app will be rejected by Gatekeeper on first launch. These modifications are not permitted. Using an installation package instead of a drag-install will get you through Gatekeeper."

refs: https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG401

Comment 21 Henrik Andersson 2015-09-30 08:33:48 CEST

(In reply to comment #20)
> Bug is reopened due to the whole point of doing this work is to support
> preconfiguration of the ThinLinc client. As noted one can't change the bundled
> config file without breaking the signature and there is no supported way of
> removing a signature.
> 

If we implements bug 5659 for supporting preconfigured thinlinc client we have only one problem: We can't distribute the configuration file with the application bundle. However, and administrator could:

 - Distribute ThinLinc application bundle with a configfile and instruction
   where this config file should be stored.

 - Build a package installer using pkgbuild with the ThinLinc application bundle  
   and preconfigured file.

Comment 24 Pierre Ossman 2015-09-30 17:05:33 CEST

Building a package file actually seems doable from the build system. pkg files are just xar archives with a special structure. The only magical thing in them is a binary file that store file metadata for the things that are to be installed. But there is an open source project to generate these files:

http://hogliux.github.io/bomutils/index.html

They even have a complete tutorial on how to make a pkg file here:

http://hogliux.github.io/bomutils/tutorial.html

Comment 25 Pierre Ossman 2019-08-20 16:51:19 CEST

Also see this page for signing packages:

http://users.wfu.edu/cottrell/productsign/productsign_linux.html