macCatalyst build fails the first attempt, requires a second build
authorkrollin@apple.com <krollin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Aug 2019 18:39:38 +0000 (18:39 +0000)
committerkrollin@apple.com <krollin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Aug 2019 18:39:38 +0000 (18:39 +0000)
https://bugs.webkit.org/show_bug.cgi?id=200242
<rdar://problem/53678481>

macCatalyst builds fail the first time with an error like:

    Code Signing Error: The file
    "/Users/tim_cook/Build/Debug-maccatalyst/DerivedSources/WebKit2/WebContent-macCatalyst-no-sandbox.entitlements"
    could not be opened. Verify the value of the
    CODE_SIGN_ENTITLEMENTS build setting for target "WebContent" is
    correct and that the file exists on disk.

This problem is caused by the file referenced by
CODE_SIGN_ENTITLEMENTS changing during the build process. For
macCatalyst builds, we start with the iOS entitlements files and then
tweak them for macCatalyst. When this occurs during a clean build,
Xcode sees the entitlements file being generated and complains about
it. Restarting the build does so with the file already existing, and
so Xcode does not complain about it.

The approach of generating or tweaking entitlement files may have
worked in the past, but the fact is that Xcode doesn't support it.

We had a similar problem with macOS builds. The entitlements files
used to be generated on the fly with scripts like
WebKit/Scripts/process-network-sandbox-entitlements.sh. That process
was reworked to avoid the issue with Xcode not allowing the files to
be generated (see r241135). In short:

o The various process-*-entitlements.sh scripts were consolidated into
  a single process-entitlements file
o CODE_SIGN_ENTITLEMENTS, which contains the name of the entitlements
  file to use, was de-initialized so that Xcode would not try to
  access our generated entitlements file
o CODE_SIGN_INJECT_BASE_ENTITLEMENTS (which injects some base
  entitlements) was set to NO. If it were left set to YES, Xcode would
  create its own entitlements file and use it as if it were specified
  in CODE_SIGN_ENTITLEMENTS
o WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS was updated with an
  "--entitlements <generated_file>" option.
  WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS was then used to initialize
  OTHER_CODE_SIGN_FLAGS. By specifying the entitlements file this way,
  we avoid Xcode complaining about it.

This approach works well for macOS, and so we now also use it to
address the issue with macCatalyst. While we're at it, convert the
rest of the platforms to use the same approach and also generate their
entitlements from the process-entitlements script.

The new process was validated by performing a build with the old
process and the new process, and then comparing the entitlements of
the resulting XPC services to make sure they were the same. Builds
were performed for all platforms, and for Engineering and Production
builds.

Reviewed by Brent Fulgham.

* Configurations/BaseXPCService.xcconfig:
* Configurations/Network-iOS.entitlements: Removed.
* Configurations/Network-macCatalyst.entitlements: Removed.
* Configurations/NetworkService.xcconfig:
* Configurations/PluginService.64.xcconfig:
* Configurations/PluginService.entitlements: Removed.
* Configurations/WebContent-iOS.entitlements: Removed.
* Configurations/WebContent-macCatalyst.entitlements: Removed.
* Configurations/WebContentService.Development.xcconfig:
* Configurations/WebContentService.xcconfig:
* Scripts/copy-webcontent-resources-to-private-headers.sh:
* Scripts/process-entitlements.sh:
* WebKit.xcodeproj/project.pbxproj:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@248164 268f45cc-cd09-0410-ab3c-d52691b4dbfc

14 files changed:
Source/WebKit/ChangeLog
Source/WebKit/Configurations/BaseXPCService.xcconfig
Source/WebKit/Configurations/Network-iOS.entitlements [deleted file]
Source/WebKit/Configurations/Network-macCatalyst.entitlements [deleted file]
Source/WebKit/Configurations/NetworkService.xcconfig
Source/WebKit/Configurations/PluginService.64.xcconfig
Source/WebKit/Configurations/PluginService.entitlements [deleted file]
Source/WebKit/Configurations/WebContent-iOS.entitlements [deleted file]
Source/WebKit/Configurations/WebContent-macCatalyst.entitlements [deleted file]
Source/WebKit/Configurations/WebContentService.Development.xcconfig
Source/WebKit/Configurations/WebContentService.xcconfig
Source/WebKit/Scripts/copy-webcontent-resources-to-private-headers.sh
Source/WebKit/Scripts/process-entitlements.sh
Source/WebKit/WebKit.xcodeproj/project.pbxproj

index 3ab7f97..fa0160b 100644 (file)
@@ -1,3 +1,76 @@
+2019-08-02  Keith Rollin  <krollin@apple.com>
+
+        macCatalyst build fails the first attempt, requires a second build
+        https://bugs.webkit.org/show_bug.cgi?id=200242
+        <rdar://problem/53678481>
+
+        macCatalyst builds fail the first time with an error like:
+
+            Code Signing Error: The file
+            "/Users/tim_cook/Build/Debug-maccatalyst/DerivedSources/WebKit2/WebContent-macCatalyst-no-sandbox.entitlements"
+            could not be opened. Verify the value of the
+            CODE_SIGN_ENTITLEMENTS build setting for target "WebContent" is
+            correct and that the file exists on disk.
+
+        This problem is caused by the file referenced by
+        CODE_SIGN_ENTITLEMENTS changing during the build process. For
+        macCatalyst builds, we start with the iOS entitlements files and then
+        tweak them for macCatalyst. When this occurs during a clean build,
+        Xcode sees the entitlements file being generated and complains about
+        it. Restarting the build does so with the file already existing, and
+        so Xcode does not complain about it.
+
+        The approach of generating or tweaking entitlement files may have
+        worked in the past, but the fact is that Xcode doesn't support it.
+
+        We had a similar problem with macOS builds. The entitlements files
+        used to be generated on the fly with scripts like
+        WebKit/Scripts/process-network-sandbox-entitlements.sh. That process
+        was reworked to avoid the issue with Xcode not allowing the files to
+        be generated (see r241135). In short:
+
+        o The various process-*-entitlements.sh scripts were consolidated into
+          a single process-entitlements file
+        o CODE_SIGN_ENTITLEMENTS, which contains the name of the entitlements
+          file to use, was de-initialized so that Xcode would not try to
+          access our generated entitlements file
+        o CODE_SIGN_INJECT_BASE_ENTITLEMENTS (which injects some base
+          entitlements) was set to NO. If it were left set to YES, Xcode would
+          create its own entitlements file and use it as if it were specified
+          in CODE_SIGN_ENTITLEMENTS
+        o WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS was updated with an
+          "--entitlements <generated_file>" option.
+          WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS was then used to initialize
+          OTHER_CODE_SIGN_FLAGS. By specifying the entitlements file this way,
+          we avoid Xcode complaining about it.
+
+        This approach works well for macOS, and so we now also use it to
+        address the issue with macCatalyst. While we're at it, convert the
+        rest of the platforms to use the same approach and also generate their
+        entitlements from the process-entitlements script.
+
+        The new process was validated by performing a build with the old
+        process and the new process, and then comparing the entitlements of
+        the resulting XPC services to make sure they were the same. Builds
+        were performed for all platforms, and for Engineering and Production
+        builds.
+
+        Reviewed by Brent Fulgham.
+
+        * Configurations/BaseXPCService.xcconfig:
+        * Configurations/Network-iOS.entitlements: Removed.
+        * Configurations/Network-macCatalyst.entitlements: Removed.
+        * Configurations/NetworkService.xcconfig:
+        * Configurations/PluginService.64.xcconfig:
+        * Configurations/PluginService.entitlements: Removed.
+        * Configurations/WebContent-iOS.entitlements: Removed.
+        * Configurations/WebContent-macCatalyst.entitlements: Removed.
+        * Configurations/WebContentService.Development.xcconfig:
+        * Configurations/WebContentService.xcconfig:
+        * Scripts/copy-webcontent-resources-to-private-headers.sh:
+        * Scripts/process-entitlements.sh:
+        * WebKit.xcodeproj/project.pbxproj:
+
 2019-08-02  Carlos Garcia Campos  <cgarcia@igalia.com>
 
         Unreviewed. Update OptionsGTK.cmake and NEWS for 2.25.4 release
index 4fa736c..3a5e83b 100644 (file)
@@ -63,23 +63,8 @@ WK_PATH_FROM_SERVICE_EXECUTABLE_TO_FRAMEWORK_SHALLOW_BUNDLE_YES_DEPLOYMENT_YES =
 WK_PATH_FROM_SERVICE_EXECUTABLE_TO_FRAMEWORK_SHALLOW_BUNDLE_NO_DEPLOYMENT_NO = ../../..;
 WK_PATH_FROM_SERVICE_EXECUTABLE_TO_FRAMEWORK_SHALLOW_BUNDLE_YES_DEPLOYMENT_NO = ..;
 
-CODE_SIGN_ENTITLEMENTS = $(CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_$(WK_IS_COCOA_TOUCH));
-CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_ = $(CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO);
-CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_NO = ;
-CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_YES = $(CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_$(SKIP_INSTALL));
-
-CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_ = $(CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_NO);
-CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_NO = $(CODE_SIGN_ENTITLEMENTS_IOS_MANUAL_SANDBOXING_$(WK_MANUAL_SANDBOXING_ENABLED));
-CODE_SIGN_ENTITLEMENTS_IOS_SKIP_INSTALL_YES = ;
-
-CODE_SIGN_ENTITLEMENTS_IOS_MANUAL_SANDBOXING_ = $(CODE_SIGN_ENTITLEMENTS_IOS_MANUAL_SANDBOXING_NO);
-CODE_SIGN_ENTITLEMENTS_IOS_MANUAL_SANDBOXING_NO = Configurations/$(WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE).entitlements;
-CODE_SIGN_ENTITLEMENTS_IOS_MANUAL_SANDBOXING_YES = $(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/$(WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE)-no-sandbox.entitlements;
-
-CODE_SIGN_INJECT_BASE_ENTITLEMENTS = $(CODE_SIGN_INJECT_BASE_ENTITLEMENTS_$(WK_IS_COCOA_TOUCH));
-CODE_SIGN_INJECT_BASE_ENTITLEMENTS_ = $(CODE_SIGN_INJECT_BASE_ENTITLEMENTS_NO);
-CODE_SIGN_INJECT_BASE_ENTITLEMENTS_NO = NO;
-CODE_SIGN_INJECT_BASE_ENTITLEMENTS_YES = $(CODE_SIGN_INJECT_BASE_ENTITLEMENTS)
+// We want this to always be NO. If set to YES, Xcode will invoke codesign with an --entitlements parameter that points to the platform's BaseEntitlements.plist. This parameter would override any --entitlements parameter that we establish in WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS, causing our entitlements to be ignored.
+CODE_SIGN_INJECT_BASE_ENTITLEMENTS = NO;
 
 WK_PROCESSED_XCENT_FILE=$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).entitlements
 
@@ -88,9 +73,24 @@ WK_LIBRARY_VALIDATION_ENABLED_ = $(WK_LIBRARY_VALIDATION_ENABLED_NO);
 WK_LIBRARY_VALIDATION_ENABLED_NO = $(WK_LIBRARY_VALIDATION_ENABLED);
 WK_LIBRARY_VALIDATION_ENABLED_YES = YES;
 
-WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS[sdk=macosx*] = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_$(WK_XPC_SERVICE_VARIANT)) --entitlements $(WK_PROCESSED_XCENT_FILE);
-WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_ = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_Normal);
-WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_Normal = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_$(WK_LIBRARY_VALIDATION_ENABLED));
-WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_YES = -o library;
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_$(WK_PLATFORM_NAME));
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macosx = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macfamily);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_maccatalyst = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macfamily);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iphoneos = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iosdevicefamily);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iphonesimulator = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iossimulatorfamily);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_appletvos = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iosdevicefamily);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_appletvsimulator = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iossimulatorfamily);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_watchos = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iosdevicefamily);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_watchsimulator = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iossimulatorfamily);
+
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macfamily = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macfamily_VARIANT_$(WK_XPC_SERVICE_VARIANT)) --entitlements $(WK_PROCESSED_XCENT_FILE);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macfamily_VARIANT_ = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macfamily_Normal);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macfamily_VARIANT_Normal = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macfamily_VARIANT_Normal_VALIDATION_$(WK_LIBRARY_VALIDATION_ENABLED));
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_macfamily_VARIANT_Normal_VALIDATION_YES = -o library;
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iosdevicefamily = --entitlements $(WK_PROCESSED_XCENT_FILE);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iossimulatorfamily = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iossimulatorfamily_XBS_$(RC_XBS));
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iossimulatorfamily_XBS_ = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iossimulatorfamily_XBS_NO);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iossimulatorfamily_XBS_NO = --entitlements $(WK_PROCESSED_XCENT_FILE);
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iossimulatorfamily_XBS_YES = ;
 
 OTHER_CODE_SIGN_FLAGS = $(WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS);
diff --git a/Source/WebKit/Configurations/Network-iOS.entitlements b/Source/WebKit/Configurations/Network-iOS.entitlements
deleted file mode 100644 (file)
index 53dfd56..0000000
Binary files a/Source/WebKit/Configurations/Network-iOS.entitlements and /dev/null differ
diff --git a/Source/WebKit/Configurations/Network-macCatalyst.entitlements b/Source/WebKit/Configurations/Network-macCatalyst.entitlements
deleted file mode 100644 (file)
index 6025bf3..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-       <key>seatbelt-profiles</key>
-       <array>
-               <string>com.apple.WebKit.Networking</string>
-       </array>
-       <key>com.apple.security.network.client</key>
-       <true/>
-       <key>com.apple.private.network.socket-delegate</key>
-       <true/>
-</dict>
-</plist>
index 50a4bb2..b4aced2 100644 (file)
 
 #include "BaseXPCService.xcconfig"
 
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = $(WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_$(WK_PLATFORM_NAME));
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphoneos = Network-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphonesimulator = Network-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_watchos = Network-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_watchsimulator = Network-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_appletvos = Network-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_appletvsimulator = Network-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_maccatalyst = Network-macCatalyst;
-
 PRODUCT_NAME = com.apple.WebKit.Networking;
 PRODUCT_BUNDLE_IDENTIFIER = $(PRODUCT_NAME);
 INFOPLIST_FILE[sdk=iphone*] = NetworkProcess/EntryPoint/Cocoa/XPCService/NetworkService/Info-iOS.plist;
index c3251ed..e69d901 100644 (file)
@@ -35,7 +35,6 @@ WK_APPKIT_LDFLAGS_macosx = -framework AppKit;
 OTHER_LDFLAGS = $(inherited) $(WK_APPKIT_LDFLAGS) $(OTHER_LDFLAGS_PLATFORM) $(OTHER_LDFLAGS_VERSIONED_FRAMEWORK_PATH) $(WK_RELOCATABLE_FRAMEWORKS_LDFLAGS);
 OTHER_LDFLAGS_PLATFORM[sdk=macosx*] = $(BUILT_PRODUCTS_DIR)/PluginProcessShim.dylib;
 
-CODE_SIGN_ENTITLEMENTS_COCOA_TOUCH_YES = Configurations/PluginService.entitlements;
 WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS[sdk=macosx*] = --entitlements $(WK_PROCESSED_XCENT_FILE);
 
 SKIP_INSTALL[sdk=iphone*] = YES;
diff --git a/Source/WebKit/Configurations/PluginService.entitlements b/Source/WebKit/Configurations/PluginService.entitlements
deleted file mode 100644 (file)
index dde6c0d..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-       <key>com.apple.security.cs.allow-jit</key>
-       <true/>
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-    <true/>
-       <key>com.apple.security.cs.disable-library-validation</key>
-       <true/>
-       <key>com.apple.security.files.user-selected.read-write</key>
-       <true/>
-       <key>com.apple.security.print</key>
-       <true/>
-</dict>
-</plist>
diff --git a/Source/WebKit/Configurations/WebContent-iOS.entitlements b/Source/WebKit/Configurations/WebContent-iOS.entitlements
deleted file mode 100644 (file)
index 376a97d..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-       <key>com.apple.private.network.socket-delegate</key>
-       <true/>
-       <key>com.apple.private.allow-explicit-graphics-priority</key>
-       <true/>
-       <key>com.apple.private.webinspector.allow-remote-inspection</key>
-       <true/>
-       <key>com.apple.private.webinspector.proxy-application</key>
-       <true/>
-       <key>com.apple.locationd.authorizeapplications</key>
-       <true/>
-       <key>com.apple.locationd.effective_bundle</key>
-       <true/>
-       <key>seatbelt-profiles</key>
-       <array>
-               <string>com.apple.WebKit.WebContent</string>
-       </array>
-       <key>dynamic-codesigning</key>
-       <true/>
-       <key>com.apple.private.coremedia.pidinheritance.allow</key>
-       <true/>
-       <key>com.apple.private.coremedia.extensions.audiorecording.allow</key>
-       <true/>
-       <key>com.apple.tcc.delegated-services</key>
-       <array>
-               <string>kTCCServiceMicrophone</string>
-               <string>kTCCServiceCamera</string>
-       </array>
-       <key>com.apple.private.memorystatus</key>
-       <true/>
-       <key>com.apple.QuartzCore.webkit-end-points</key>
-       <true/>
-       <key>com.apple.QuartzCore.secure-mode</key>
-       <true/>
-</dict>
-</plist>
diff --git a/Source/WebKit/Configurations/WebContent-macCatalyst.entitlements b/Source/WebKit/Configurations/WebContent-macCatalyst.entitlements
deleted file mode 100644 (file)
index 608433e..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-       <key>seatbelt-profiles</key>
-       <array>
-               <string>com.apple.WebKit.WebContent</string>
-       </array>
-       <key>com.apple.security.cs.allow-jit</key>
-       <true/>
-</dict>
-</plist>
index 99f752a..383bcff 100644 (file)
@@ -29,3 +29,7 @@ SKIP_INSTALL[sdk=macosx*] = $(WK_RELOCATABLE_FRAMEWORKS);
 WK_XPC_SERVICE_VARIANT = Development;
 
 WK_USE_RESTRICTED_ENTITLEMENTS = NO;
+
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_iphoneos = ;
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_appletvos = ;
+WK_LIBRARY_VALIDATION_CODE_SIGN_FLAGS_watchos = ;
index 3f764c2..88fc907 100644 (file)
 
 #include "BaseXPCService.xcconfig"
 
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE = $(WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_$(WK_PLATFORM_NAME));
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphoneos = WebContent-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_iphonesimulator = WebContent-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_watchos = WebContent-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_watchsimulator = WebContent-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_appletvos = WebContent-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_appletvsimulator = WebContent-iOS;
-WK_XPC_SERVICE_IOS_ENTITLEMENTS_BASE_maccatalyst = WebContent-macCatalyst;
-
 PRODUCT_NAME = $(PRODUCT_NAME_$(WK_XPC_SERVICE_VARIANT));
 PRODUCT_NAME_ = $(PRODUCT_NAME_Normal);
 PRODUCT_NAME_Normal = com.apple.WebKit.WebContent;
index aa7464a..3a07f90 100755 (executable)
@@ -28,13 +28,8 @@ set -e
 WEB_CONTENT_RESOURCES_PATH="${BUILT_PRODUCTS_DIR}/WebKit.framework/PrivateHeaders/CustomWebContentResources"
 mkdir -p "${WEB_CONTENT_RESOURCES_PATH}"
 
-if [[ ${WK_PLATFORM_NAME} == "macosx" ]]; then
-    ENTITLEMENTS_FILE="${WK_PROCESSED_XCENT_FILE}"
-else
-    ENTITLEMENTS_FILE="${SRCROOT}/Configurations/WebContent-iOS.entitlements"
-fi
-echo "Copying WebContent entitlements from ${ENTITLEMENTS_FILE} to ${WEB_CONTENT_RESOURCES_PATH}/WebContent.entitlements"
-ditto "${ENTITLEMENTS_FILE}" "${WEB_CONTENT_RESOURCES_PATH}/WebContent.entitlements"
+echo "Copying WebContent entitlements from ${WK_PROCESSED_XCENT_FILE} to ${WEB_CONTENT_RESOURCES_PATH}/WebContent.entitlements"
+ditto "${WK_PROCESSED_XCENT_FILE}" "${WEB_CONTENT_RESOURCES_PATH}/WebContent.entitlements"
 
 WEBCONTENT_XIB="${SRCROOT}/Resources/WebContentProcess.xib"
 echo "Copying WebContentProcess.xib from ${WEBCONTENT_XIB} to ${WEB_CONTENT_RESOURCES_PATH}/WebContentProcess.xib"
index 965f316..d1f0296 100755 (executable)
@@ -1,29 +1,31 @@
 #!/bin/bash
 
-[[ ${WK_PLATFORM_NAME} == macosx ]] || exit 0
-
 function plistbuddy()
 {
     /usr/libexec/PlistBuddy -c "$*" "${WK_PROCESSED_XCENT_FILE}"
 }
 
-function process_webcontent_entitlements()
+# ========================================
+# Mac entitlements
+# ========================================
+
+function mac_process_webcontent_entitlements()
 {
     plistbuddy Add :com.apple.security.cs.allow-jit bool YES
 
-    if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == YES ]]
+    if [[ "${WK_USE_RESTRICTED_ENTITLEMENTS}" == YES ]]
     then
         plistbuddy Add :com.apple.rootless.storage.WebKitWebContentSandbox bool YES
     fi
 
-    process_webcontent_or_plugin_entitlements
+    mac_process_webcontent_or_plugin_entitlements
 }
 
-function process_network_entitlements()
+function mac_process_network_entitlements()
 {
-    if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == YES ]]
+    if [[ "${WK_USE_RESTRICTED_ENTITLEMENTS}" == YES ]]
     then
-        if (( ${TARGET_MAC_OS_X_VERSION_MAJOR} >= 101500 ))
+        if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 101500 ))
         then
             plistbuddy Add :com.apple.private.network.socket-delegate bool YES
         fi
@@ -32,7 +34,7 @@ function process_network_entitlements()
     fi
 }
 
-function process_plugin_entitlements()
+function mac_process_plugin_entitlements()
 {
     plistbuddy Add :com.apple.security.cs.allow-jit                        bool YES
     plistbuddy Add :com.apple.security.cs.allow-unsigned-executable-memory bool YES
@@ -40,37 +42,145 @@ function process_plugin_entitlements()
     plistbuddy Add :com.apple.security.files.user-selected.read-write      bool YES
     plistbuddy Add :com.apple.security.print                               bool YES
 
-    process_webcontent_or_plugin_entitlements
+    mac_process_webcontent_or_plugin_entitlements
 }
 
-function process_webcontent_or_plugin_entitlements()
+function mac_process_webcontent_or_plugin_entitlements()
 {
-    if [[ ${WK_USE_RESTRICTED_ENTITLEMENTS} == YES ]]
+    if [[ "${WK_USE_RESTRICTED_ENTITLEMENTS}" == YES ]]
     then
-        if (( ${TARGET_MAC_OS_X_VERSION_MAJOR} >= 101400 ))
+        if (( "${TARGET_MAC_OS_X_VERSION_MAJOR}" >= 101400 ))
         then
             plistbuddy Add :com.apple.tcc.delegated-services array
-            plistbuddy Add :com.apple.tcc.delegated-services:0 string kTCCServiceCamera
             plistbuddy Add :com.apple.tcc.delegated-services:1 string kTCCServiceMicrophone
+            plistbuddy Add :com.apple.tcc.delegated-services:0 string kTCCServiceCamera
         fi
 
-        if [[ ${WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT} == YES ]]
+        if [[ "${WK_WEBCONTENT_SERVICE_NEEDS_XPC_DOMAIN_EXTENSION_ENTITLEMENT}" == YES ]]
         then
             plistbuddy Add :com.apple.private.xpc.domain-extension bool YES
         fi
     fi
 
-    if [[ ${WK_XPC_SERVICE_VARIANT} == Development ]]
+    if [[ "${WK_XPC_SERVICE_VARIANT}" == Development ]]
     then
         plistbuddy Add :com.apple.security.cs.disable-library-validation bool YES
     fi
 }
 
+# ========================================
+# macCatalyst entitlements
+# ========================================
+
+function maccatalyst_process_webcontent_entitlements()
+{
+    plistbuddy Add :com.apple.security.cs.allow-jit bool YES
+}
+
+function maccatalyst_process_network_entitlements()
+{
+    plistbuddy Add :com.apple.private.network.socket-delegate bool YES
+    plistbuddy Add :com.apple.security.network.client bool YES
+}
+
+function maccatalyst_process_plugin_entitlements()
+{
+    plistbuddy Add :com.apple.security.cs.allow-jit                        bool YES
+    plistbuddy Add :com.apple.security.cs.allow-unsigned-executable-memory bool YES
+    plistbuddy Add :com.apple.security.cs.disable-library-validation       bool YES
+    plistbuddy Add :com.apple.security.files.user-selected.read-write      bool YES
+    plistbuddy Add :com.apple.security.print                               bool YES
+}
+
+
+# ========================================
+# iOS Family entitlements
+# ========================================
+
+function ios_family_process_webcontent_entitlements()
+{
+    plistbuddy Add :com.apple.QuartzCore.secure-mode bool YES
+    plistbuddy Add :com.apple.QuartzCore.webkit-end-points bool YES
+    plistbuddy Add :com.apple.locationd.authorizeapplications bool YES
+    plistbuddy Add :com.apple.locationd.effective_bundle bool YES
+    plistbuddy Add :com.apple.private.allow-explicit-graphics-priority bool YES
+    plistbuddy Add :com.apple.private.coremedia.extensions.audiorecording.allow bool YES
+    plistbuddy Add :com.apple.private.coremedia.pidinheritance.allow bool YES
+    plistbuddy Add :com.apple.private.memorystatus bool YES
+    plistbuddy Add :com.apple.private.network.socket-delegate bool YES
+    plistbuddy Add :com.apple.private.webinspector.allow-remote-inspection bool YES
+    plistbuddy Add :com.apple.private.webinspector.proxy-application bool YES
+    plistbuddy Add :dynamic-codesigning bool YES
+
+    plistbuddy Add :com.apple.tcc.delegated-services array
+    plistbuddy Add :com.apple.tcc.delegated-services:0 string kTCCServiceCamera
+    plistbuddy Add :com.apple.tcc.delegated-services:1 string kTCCServiceMicrophone
+
+    plistbuddy Add :seatbelt-profiles array
+    plistbuddy Add :seatbelt-profiles:0 string com.apple.WebKit.WebContent
+}
+
+function ios_family_process_network_entitlements()
+{
+    plistbuddy Add :com.apple.multitasking.systemappassertions bool YES
+    plistbuddy Add :com.apple.payment.all-access bool YES
+    plistbuddy Add :com.apple.private.accounts.bundleidspoofing bool YES
+    plistbuddy Add :com.apple.private.dmd.policy bool YES
+    plistbuddy Add :com.apple.private.memorystatus bool YES
+    plistbuddy Add :com.apple.private.network.socket-delegate bool YES
+
+    plistbuddy Add :seatbelt-profiles array
+    plistbuddy Add :seatbelt-profiles:0 string com.apple.WebKit.Networking
+}
+
+function ios_family_process_plugin_entitlements()
+{
+    plistbuddy Add :com.apple.security.cs.allow-jit                        bool YES
+    plistbuddy Add :com.apple.security.cs.allow-unsigned-executable-memory bool YES
+    plistbuddy Add :com.apple.security.cs.disable-library-validation       bool YES
+    plistbuddy Add :com.apple.security.files.user-selected.read-write      bool YES
+    plistbuddy Add :com.apple.security.print                               bool YES
+}
+
+
 rm -f "${WK_PROCESSED_XCENT_FILE}"
-[[ ${RC_XBS} == "YES" ]] || plistbuddy Add :com.apple.security.get-task-allow bool YES
+plistbuddy Clear dict
 
-[[ ${PRODUCT_NAME} =~ com.apple.WebKit.WebContent(.Development)? ]] && process_webcontent_entitlements
-[[ ${PRODUCT_NAME} == com.apple.WebKit.Networking ]] && process_network_entitlements
-[[ ${PRODUCT_NAME} == com.apple.WebKit.Plugin.64 ]] && process_plugin_entitlements
+if [[ "${WK_PLATFORM_NAME}" =~ .*simulator ]]
+then
+    [[ "${RC_XBS}" != YES ]] && plistbuddy Add :com.apple.security.get-task-allow bool YES
+elif [[ "${WK_PLATFORM_NAME}" == macosx ]]
+then
+    [[ "${RC_XBS}" != YES ]] && plistbuddy Add :com.apple.security.get-task-allow bool YES
+
+    if [[ "${PRODUCT_NAME}" == com.apple.WebKit.WebContent.Development ]]; then mac_process_webcontent_entitlements
+    elif [[ "${PRODUCT_NAME}" == com.apple.WebKit.WebContent ]]; then mac_process_webcontent_entitlements
+    elif [[ "${PRODUCT_NAME}" == com.apple.WebKit.Networking ]]; then mac_process_network_entitlements
+    elif [[ "${PRODUCT_NAME}" == com.apple.WebKit.Plugin.64 ]]; then mac_process_plugin_entitlements
+    else echo "Unsupported/unknown product: ${PRODUCT_NAME}"
+    fi
+elif [[ "${WK_PLATFORM_NAME}" == maccatalyst || "${WK_PLATFORM_NAME}" == iosmac ]]
+then
+    [[ "${RC_XBS}" != YES && ( "${PRODUCT_NAME}" == com.apple.WebKit.WebContent.Development || "${PRODUCT_NAME}" == com.apple.WebKit.Plugin.64 ) ]] && plistbuddy Add :com.apple.security.get-task-allow bool YES
+
+    if [[ "${PRODUCT_NAME}" == com.apple.WebKit.WebContent.Development ]]; then maccatalyst_process_webcontent_entitlements
+    elif [[ "${PRODUCT_NAME}" == com.apple.WebKit.WebContent ]]; then maccatalyst_process_webcontent_entitlements
+    elif [[ "${PRODUCT_NAME}" == com.apple.WebKit.Networking ]]; then maccatalyst_process_network_entitlements
+    elif [[ "${PRODUCT_NAME}" == com.apple.WebKit.Plugin.64 ]]; then maccatalyst_process_plugin_entitlements
+    else echo "Unsupported/unknown product: ${PRODUCT_NAME}"
+    fi
+elif [[ "${WK_PLATFORM_NAME}" == iphoneos ||
+        "${WK_PLATFORM_NAME}" == appletvos ||
+        "${WK_PLATFORM_NAME}" == watchos ]]
+then
+    if [[ "${PRODUCT_NAME}" == com.apple.WebKit.WebContent.Development ]]; then true
+    elif [[ "${PRODUCT_NAME}" == com.apple.WebKit.WebContent ]]; then ios_family_process_webcontent_entitlements
+    elif [[ "${PRODUCT_NAME}" == com.apple.WebKit.Networking ]]; then ios_family_process_network_entitlements
+    elif [[ "${PRODUCT_NAME}" == com.apple.WebKit.Plugin.64 ]]; then ios_family_process_plugin_entitlements
+    else echo "Unsupported/unknown product: ${PRODUCT_NAME}"
+    fi
+else
+    echo "Unsupported/unknown platform: ${WK_PLATFORM_NAME}"
+fi
 
 exit 0
index db42196..7469da1 100644 (file)
@@ -60,7 +60,6 @@
                        buildConfigurationList = C0CE72891247E68600BC0EC4 /* Build configuration list for PBXAggregateTarget "Derived Sources" */;
                        buildPhases = (
                                C0CE72841247E66800BC0EC4 /* Generate Derived Sources */,
-                               3740E7281B23724A004ADEF1 /* Derive Entitlements for Manual Sandboxing */,
                        );
                        dependencies = (
                        );
                370F34A41829BEA3009027C8 /* WKNavigationDataInternal.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKNavigationDataInternal.h; sourceTree = "<group>"; };
                370F34A61829CFF3009027C8 /* WKBrowsingContextHistoryDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKBrowsingContextHistoryDelegate.h; sourceTree = "<group>"; };
                37119A7C20CCB64E002C6DC9 /* WebKitTargetConditionals.xcconfig */ = {isa = PBXFileReference; lastKnownFileType = text.xcconfig; path = WebKitTargetConditionals.xcconfig; sourceTree = "<group>"; };
-               37119A7D20CCB64E002C6DC9 /* Network-macCatalyst.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "Network-macCatalyst.entitlements"; sourceTree = "<group>"; };
-               37119A7E20CCB64E002C6DC9 /* WebContent-macCatalyst.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "WebContent-macCatalyst.entitlements"; sourceTree = "<group>"; };
                37183D54182F4E700080C811 /* WKNSURLExtras.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WKNSURLExtras.mm; sourceTree = "<group>"; };
                37183D55182F4E700080C811 /* WKNSURLExtras.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKNSURLExtras.h; sourceTree = "<group>"; };
                371A193F1824D29300F32A5E /* WKNSDictionary.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = WKNSDictionary.mm; sourceTree = "<group>"; };
                532159521DBAE6FC0054AA3C /* NetworkSession.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NetworkSession.cpp; sourceTree = "<group>"; };
                535BCB902069C49C00CCCE02 /* NetworkActivityTracker.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = NetworkActivityTracker.h; sourceTree = "<group>"; };
                535E08CA225460FC00DF00CA /* postprocess-header-rule */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = "postprocess-header-rule"; sourceTree = "<group>"; };
-               536F46D3220D385100126322 /* PluginService.entitlements */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.entitlements; path = PluginService.entitlements; sourceTree = "<group>"; };
                539EB5461DC2EE40009D48CF /* NetworkDataTaskBlob.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = NetworkDataTaskBlob.cpp; sourceTree = "<group>"; };
                539EB5471DC2EE40009D48CF /* NetworkDataTaskBlob.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NetworkDataTaskBlob.h; sourceTree = "<group>"; };
                53B1640F2203715000EC4166 /* process-entitlements.sh */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.script.sh; path = "process-entitlements.sh"; sourceTree = "<group>"; };
                7AFBD36E21E546E3005DBACB /* PersistencyUtils.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = PersistencyUtils.cpp; sourceTree = "<group>"; };
                7C065F291C8CD95F00C2D950 /* WebUserContentControllerDataTypes.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WebUserContentControllerDataTypes.cpp; sourceTree = "<group>"; };
                7C065F2A1C8CD95F00C2D950 /* WebUserContentControllerDataTypes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WebUserContentControllerDataTypes.h; sourceTree = "<group>"; };
-               7C0BB9A818DCDE890006C086 /* WebContent-iOS.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.xml; path = "WebContent-iOS.entitlements"; sourceTree = "<group>"; };
-               7C0BB9A918DCDF5A0006C086 /* Network-iOS.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.xml; path = "Network-iOS.entitlements"; sourceTree = "<group>"; };
                7C135AA6173B0BCA00586AE2 /* WKPluginInformation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WKPluginInformation.cpp; sourceTree = "<group>"; };
                7C135AA7173B0BCA00586AE2 /* WKPluginInformation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WKPluginInformation.h; sourceTree = "<group>"; };
                7C135AAA173B0CFF00586AE2 /* PluginInformationMac.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = PluginInformationMac.mm; sourceTree = "<group>"; };
                                BCACC40D16B0B7BE00B6E092 /* BaseXPCService.xcconfig */,
                                1A4F976B100E7B6600637A18 /* DebugRelease.xcconfig */,
                                1A4F976C100E7B6600637A18 /* FeatureDefines.xcconfig */,
-                               7C0BB9A918DCDF5A0006C086 /* Network-iOS.entitlements */,
-                               37119A7D20CCB64E002C6DC9 /* Network-macCatalyst.entitlements */,
                                BC8283AB16B4BEAD00A278FE /* NetworkService.xcconfig */,
                                A1EDD2DB1884B96400BBFE98 /* PluginProcessShim.xcconfig */,
                                BC8283F416B4FC5300A278FE /* PluginService.64.xcconfig */,
-                               536F46D3220D385100126322 /* PluginService.entitlements */,
                                37E83D401B37D27B002079EE /* SandboxProfiles.xcconfig */,
                                A1B89B92221E023300EB4CEA /* SDKVariant.xcconfig */,
                                A1EDD2DC1884B9B500BBFE98 /* SecItemShim.xcconfig */,
                                5183B3931379F85C00E8754E /* Shim.xcconfig */,
                                1A4F976E100E7B6600637A18 /* Version.xcconfig */,
-                               7C0BB9A818DCDE890006C086 /* WebContent-iOS.entitlements */,
-                               37119A7E20CCB64E002C6DC9 /* WebContent-macCatalyst.entitlements */,
                                372EBB4A2017E76000085064 /* WebContentService.Development.xcconfig */,
                                BCACC40E16B0B8A800B6E092 /* WebContentService.xcconfig */,
                                BCB86F4B116AAACD00CE20B7 /* WebKit.xcconfig */,
                        shellPath = /bin/sh;
                        shellScript = "if [ \"${ACTION}\" = \"installhdrs\" ] || [ \"${ACTION}\" = \"installapi\" ]; then\n    exit 0;\nfi\n\nif [ -f ../../Tools/Scripts/check-for-inappropriate-objc-class-names ]; then\n    ../../Tools/Scripts/check-for-inappropriate-objc-class-names WK _WK || exit $?\nfi";
                };
-               3740E7281B23724A004ADEF1 /* Derive Entitlements for Manual Sandboxing */ = {
-                       isa = PBXShellScriptBuildPhase;
-                       buildActionMask = 2147483647;
-                       files = (
-                       );
-                       inputPaths = (
-                               "$(SRCROOT)/Configurations/Network-iOS.entitlements",
-                               "$(SRCROOT)/Configurations/WebContent-iOS.entitlements",
-                               "$(SRCROOT)/Configurations/Network-macCatalyst.entitlements",
-                               "$(SRCROOT)/Configurations/WebContent-macCatalyst.entitlements",
-                       );
-                       name = "Derive Entitlements for Manual Sandboxing";
-                       outputPaths = (
-                               "$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/Network-iOS-no-sandbox.entitlements",
-                               "$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/WebContent-iOS-no-sandbox.entitlements",
-                               "$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/Network-macCatalyst-no-sandbox.entitlements",
-                               "$(BUILT_PRODUCTS_DIR)/DerivedSources/WebKit2/WebContent-macCatalyst-no-sandbox.entitlements",
-                       );
-                       runOnlyForDeploymentPostprocessing = 0;
-                       shellPath = /bin/sh;
-                       shellScript = "if [[ \"${WK_MANUAL_SANDBOXING_ENABLED}\" != \"YES\" || \"${WK_PLATFORM_NAME}\" == \"macosx\" ]]; then\n    exit\nfi\n\nif [[ \"${ACTION}\" == \"build\" || \"${ACTION}\" == \"install\" ]]; then\n    for ((i = 0; i < ${SCRIPT_INPUT_FILE_COUNT}; ++i)); do\n        eval ENTITLEMENTS=\\${SCRIPT_INPUT_FILE_${i}}\n        ENTITLEMENTS_BASE=${ENTITLEMENTS##*/}\n        ENTITLEMENTS_BASE=${ENTITLEMENTS_BASE%.entitlements}\n        plutil -remove seatbelt-profiles -o \"${BUILT_PRODUCTS_DIR}/DerivedSources/WebKit2/${ENTITLEMENTS_BASE}-no-sandbox.entitlements\" \"${ENTITLEMENTS}\"\n    done\nfi\n";
-               };
                375A248817E5048E00C9A086 /* Postprocess WKBase.h */ = {
                        isa = PBXShellScriptBuildPhase;
                        buildActionMask = 2147483647;
                        isa = PBXShellScriptBuildPhase;
                        buildActionMask = 2147483647;
                        inputPaths = (
-                               "$(TEMP_FILE_DIR)/$(FULL_PRODUCT_NAME).xcent",
+                               "$(WK_PROCESSED_XCENT_FILE)",
                                "$(BUILT_PRODUCTS_DIR)/$(INFOPLIST_PATH)",
-                               "${SRCROOT}/Configurations/WebContent-iOS.entitlements",
                                "$(SRCROOT)/Resources/WebContentProcess.xib",
                        );
                        name = "Copy Custom WebContent Resources to Framework Private Headers";