1.7.4 Released

.github/workflows/build.yml

@@ -196,7 +196,30 @@ jobs:
           pnpm install
           pnpm add @mihomo-party/sysproxy-darwin-${{ matrix.arch }}
           pnpm prepare --${{ matrix.arch }}
+      - name: Verify Code Signing Certificate
+        env:
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+        run: |
+          echo "验证代码签名证书..."
+          if [ -n "$CSC_LINK" ]; then
+            echo "CSC_LINK 已设置"
+          else
+            echo "警告: CSC_LINK 未设置"
+          fi
+          if [ -n "$CSC_KEY_PASSWORD" ]; then
+            echo "CSC_KEY_PASSWORD 已设置"
+          else
+            echo "警告: CSC_KEY_PASSWORD 未设置"
+          fi
+          
+          echo "可用的代码签名证书:"
+          security find-identity -v -p codesigning
+          
+          echo "可用的安装器签名证书:"
+          security find-identity -v -p basic
       - name: Build
+        timeout-minutes: 60
         env:
           npm_config_arch: ${{ matrix.arch }}
           npm_config_target_arch: ${{ matrix.arch }}
@@ -205,22 +228,92 @@ jobs:
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           CSC_LINK: ${{ secrets.CSC_LINK }}
           CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          CSC_NAME: "Prometheus Advertising Corp (489PDK5LP3)"
+          DEBUG: "electron-builder"
+          CSC_IDENTITY_AUTO_DISCOVERY: "false"
         run: |
+          echo "开始构建 macOS 应用..."
+          security list-keychains
+          security find-identity -v -p codesigning
           chmod +x build/pkg-scripts/postinstall
-          pnpm build:mac --${{ matrix.arch }}
+          pnpm build:mac --${{ matrix.arch }} --publish=never
+          
+          echo "验证构建产物签名..."
+          for app in dist/mac*/*.app; do
+            if [ -d "$app" ]; then
+              echo "检查 $app 的签名..."
+              codesign --verify --verbose=2 "$app" || echo "警告: $app 签名验证失败"
+              spctl --assess --verbose --type execute "$app" || echo "警告: $app Gatekeeper 评估失败"
+            fi
+          done
       - name: Setup temporary installer signing keychain
         uses: apple-actions/import-codesign-certs@v3
         with:
           p12-file-base64: ${{ secrets.CSC_INSTALLER_LINK }}
           p12-password: ${{ secrets.CSC_INSTALLER_KEY_PASSWORD }}
       - name: Sign the Apple pkg
+#        if: false  # 临时禁用此步骤
+        timeout-minutes: 30
         run: |
+          echo "设置 notarytool 凭据..."
+          if ! xcrun notarytool store-credentials "NOTARIZE_PROFILE" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD"; then
+            echo "错误: 无法设置 notarytool 凭据"
+            exit 1
+          fi
+          
+          echo "验证凭据设置..."
+          xcrun notarytool list --keychain-profile "NOTARIZE_PROFILE" || true
+          
+          echo "签名和公证 pkg 文件..."
           for pkg_name in $(ls -1 dist/*.pkg); do
             pkg_name=$(ls -1 dist/*.pkg)
+            echo "处理文件: $pkg_name"
+            if [ ! -f "$pkg_name" ]; then
+              echo "错误: 找不到 pkg 文件: $pkg_name"
+              exit 1
+            fi
+            
             mv $pkg_name Unsigned-Workbench.pkg
-            productsign --sign "Developer ID Installer: Prometheus Advertising Corp (489PDK5LP3)" Unsigned-Workbench.pkg $pkg_name
+            
+            echo "使用 productsign 签名..."
+            if ! productsign --sign "Developer ID Installer: Prometheus Advertising Corp (489PDK5LP3)" Unsigned-Workbench.pkg $pkg_name; then
+              echo "错误: productsign 签名失败"
+              exit 1
+            fi
             rm -f Unsigned-Workbench.pkg
-            xcrun notarytool submit $pkg_name --apple-id $APPLE_ID --team-id $APPLE_TEAM_ID --password $APPLE_APP_SPECIFIC_PASSWORD --wait
+            
+            echo "验证签名..."
+            pkgutil --check-signature "$pkg_name" || echo "警告: pkg 签名验证失败"
+            spctl --assess --verbose --type install "$pkg_name" || echo "警告: Gatekeeper 评估失败"
+            
+            echo "提交公证..."
+            submission_id=$(xcrun notarytool submit $pkg_name --keychain-profile "NOTARIZE_PROFILE" --wait --output-format json | jq -r '.id')
+            
+            if [ $? -ne 0 ] || [ "$submission_id" = "null" ]; then
+              echo "错误: notarytool 公证失败"
+              echo "检查最近的公证历史..."
+              xcrun notarytool history --keychain-profile "NOTARIZE_PROFILE" || true
+              exit 1
+            fi
+            
+            echo "公证提交ID: $submission_id"
+            
+            # 获取详细的公证结果
+            echo "获取公证详细信息..."
+            xcrun notarytool info "$submission_id" --keychain-profile "NOTARIZE_PROFILE" || true
+            
+            # 如果公证失败，获取详细日志
+            notarization_status=$(xcrun notarytool info "$submission_id" --keychain-profile "NOTARIZE_PROFILE" --output-format json | jq -r '.status')
+            if [ "$notarization_status" != "Accepted" ]; then
+              echo "公证失败，状态: $notarization_status"
+              echo "获取公证日志..."
+              xcrun notarytool log "$submission_id" --keychain-profile "NOTARIZE_PROFILE" || true
+              exit 1
+            fi
+            
+            echo "公证成功完成!"
+            echo "检查公证状态..."
+            xcrun notarytool history --keychain-profile "NOTARIZE_PROFILE" | head -10 || true
           done
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -270,7 +363,30 @@ jobs:
           pnpm add @mihomo-party/sysproxy-darwin-${{ matrix.arch }}
           pnpm add -D electron@32.2.2
           pnpm prepare --${{ matrix.arch }}
+      - name: Verify Code Signing Certificate
+        env:
+          CSC_LINK: ${{ secrets.CSC_LINK }}
+          CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+        run: |
+          echo "验证代码签名证书..."
+          if [ -n "$CSC_LINK" ]; then
+            echo "CSC_LINK 已设置"
+          else
+            echo "警告: CSC_LINK 未设置"
+          fi
+          if [ -n "$CSC_KEY_PASSWORD" ]; then
+            echo "CSC_KEY_PASSWORD 已设置"
+          else
+            echo "警告: CSC_KEY_PASSWORD 未设置"
+          fi
+          
+          echo "可用的代码签名证书:"
+          security find-identity -v -p codesigning
+          
+          echo "可用的安装器签名证书:"
+          security find-identity -v -p basic
       - name: Build
+        timeout-minutes: 60
         env:
           npm_config_arch: ${{ matrix.arch }}
           npm_config_target_arch: ${{ matrix.arch }}
@@ -279,23 +395,93 @@ jobs:
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           CSC_LINK: ${{ secrets.CSC_LINK }}
           CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
+          CSC_NAME: "Prometheus Advertising Corp (489PDK5LP3)"
+          DEBUG: "electron-builder"
+          CSC_IDENTITY_AUTO_DISCOVERY: "false"
         run: |
+          echo "开始构建 macOS 10 应用..."
+          security list-keychains
+          security find-identity -v -p codesigning
           sed -i "" -e "s/macos/catalina/" electron-builder.yml
           chmod +x build/pkg-scripts/postinstall
-          pnpm build:mac --${{ matrix.arch }}
+          pnpm build:mac --${{ matrix.arch }} --publish=never
+          
+          echo "验证构建产物签名..."
+          for app in dist/mac*/*.app; do
+            if [ -d "$app" ]; then
+              echo "检查 $app 的签名..."
+              codesign --verify --verbose=2 "$app" || echo "警告: $app 签名验证失败"
+              spctl --assess --verbose --type execute "$app" || echo "警告: $app Gatekeeper 评估失败"
+            fi
+          done
       - name: Setup temporary installer signing keychain
         uses: apple-actions/import-codesign-certs@v3
         with:
           p12-file-base64: ${{ secrets.CSC_INSTALLER_LINK }}
           p12-password: ${{ secrets.CSC_INSTALLER_KEY_PASSWORD }}
       - name: Sign the Apple pkg
+#        if: false  # 临时禁用此步骤
+        timeout-minutes: 30
         run: |
+          echo "设置 notarytool 凭据..."
+          if ! xcrun notarytool store-credentials "NOTARIZE_PROFILE" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_APP_SPECIFIC_PASSWORD"; then
+            echo "错误: 无法设置 notarytool 凭据"
+            exit 1
+          fi
+          
+          echo "验证凭据设置..."
+          xcrun notarytool list --keychain-profile "NOTARIZE_PROFILE" || true
+          
+          echo "签名和公证 pkg 文件..."
           for pkg_name in $(ls -1 dist/*.pkg); do
             pkg_name=$(ls -1 dist/*.pkg)
+            echo "处理文件: $pkg_name"
+            if [ ! -f "$pkg_name" ]; then
+              echo "错误: 找不到 pkg 文件: $pkg_name"
+              exit 1
+            fi
+            
             mv $pkg_name Unsigned-Workbench.pkg
-            productsign --sign "Developer ID Installer: Prometheus Advertising Corp (489PDK5LP3)" Unsigned-Workbench.pkg $pkg_name
+            
+            echo "使用 productsign 签名..."
+            if ! productsign --sign "Developer ID Installer: Prometheus Advertising Corp (489PDK5LP3)" Unsigned-Workbench.pkg $pkg_name; then
+              echo "错误: productsign 签名失败"
+              exit 1
+            fi
             rm -f Unsigned-Workbench.pkg
-            xcrun notarytool submit $pkg_name --apple-id $APPLE_ID --team-id $APPLE_TEAM_ID --password $APPLE_APP_SPECIFIC_PASSWORD --wait
+            
+            echo "验证签名..."
+            pkgutil --check-signature "$pkg_name" || echo "警告: pkg 签名验证失败"
+            spctl --assess --verbose --type install "$pkg_name" || echo "警告: Gatekeeper 评估失败"
+            
+            echo "提交公证..."
+            submission_id=$(xcrun notarytool submit $pkg_name --keychain-profile "NOTARIZE_PROFILE" --wait --output-format json | jq -r '.id')
+            
+            if [ $? -ne 0 ] || [ "$submission_id" = "null" ]; then
+              echo "错误: notarytool 公证失败"
+              echo "检查最近的公证历史..."
+              xcrun notarytool history --keychain-profile "NOTARIZE_PROFILE" || true
+              exit 1
+            fi
+            
+            echo "公证提交ID: $submission_id"
+            
+            # 获取详细的公证结果
+            echo "获取公证详细信息..."
+            xcrun notarytool info "$submission_id" --keychain-profile "NOTARIZE_PROFILE" || true
+            
+            # 如果公证失败，获取详细日志
+            notarization_status=$(xcrun notarytool info "$submission_id" --keychain-profile "NOTARIZE_PROFILE" --output-format json | jq -r '.status')
+            if [ "$notarization_status" != "Accepted" ]; then
+              echo "公证失败，状态: $notarization_status"
+              echo "获取公证日志..."
+              xcrun notarytool log "$submission_id" --keychain-profile "NOTARIZE_PROFILE" || true
+              exit 1
+            fi
+            
+            echo "公证成功完成!"
+            echo "检查公证状态..."
+            xcrun notarytool history --keychain-profile "NOTARIZE_PROFILE" | head -10 || true
           done
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

build/entitlements.mac.child.plist

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist> 

build/entitlements.mac.plist

@@ -8,5 +8,11 @@
     <true/>
     <key>com.apple.security.cs.allow-dyld-environment-variables</key>
     <true/>
+    <key>com.apple.security.network.client</key>
+    <true/>
+    <key>com.apple.security.network.server</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
   </dict>
 </plist>

build/notarize.js

@@ -0,0 +1,151 @@
+const { execSync } = require('child_process');
+const path = require('path');
+const fs = require('fs');
+
+exports.default = async function(context) {
+  const { electronPlatformName, appOutDir } = context;
+  
+  if (electronPlatformName !== 'darwin') {
+    return;
+  }
+
+  const appName = context.packager.appInfo.productFilename;
+  const appPath = path.join(appOutDir, `${appName}.app`);
+  
+  console.log('开始重新签名 Electron 辅助进程...');
+  
+  // 签名配置
+  const identity = process.env.CSC_NAME || 'Developer ID Application';
+  const entitlementsPath = path.join(__dirname, 'entitlements.mac.plist');
+  const childEntitlementsPath = path.join(__dirname, 'entitlements.mac.child.plist');
+  
+  // 构造完整的证书名称
+  const fullIdentity = identity.includes('Developer ID Application') 
+    ? identity 
+    : `Developer ID Application: ${identity}`;
+  
+  console.log(`使用签名身份: ${fullIdentity}`);
+  
+  // 需要重新签名的框架和二进制文件（使用child entitlements）
+  const frameworksToSign = [
+    'Contents/Frameworks/Electron Framework.framework/Versions/A/Helpers/chrome_crashpad_handler',
+    'Contents/Frameworks/Electron Framework.framework/Versions/A/Electron Framework',
+    'Contents/Frameworks/Electron Framework.framework'
+  ];
+  
+  // Helper应用（使用child entitlements）
+  const helpersToSign = [
+    `Contents/Frameworks/${appName} Helper.app`,
+    `Contents/Frameworks/${appName} Helper (GPU).app`,
+    `Contents/Frameworks/${appName} Helper (Plugin).app`,
+    `Contents/Frameworks/${appName} Helper (Renderer).app`
+  ];
+  
+  // 首先签名框架
+  for (const frameworkPath of frameworksToSign) {
+    const fullPath = path.join(appPath, frameworkPath);
+    
+    if (fs.existsSync(fullPath)) {
+      console.log(`签名框架: ${frameworkPath}`);
+      
+      try {
+        const signCommand = [
+          'codesign',
+          '--sign', `"${fullIdentity}"`,
+          '--force',
+          '--verbose',
+          '--options', 'runtime',
+          '--timestamp',
+          '--entitlements', `"${childEntitlementsPath}"`,
+          `"${fullPath}"`
+        ].join(' ');
+        
+        execSync(signCommand, { stdio: 'inherit' });
+        console.log(`✓ 成功签名: ${frameworkPath}`);
+        
+      } catch (error) {
+        console.error(`✗ 签名失败: ${frameworkPath}`, error.message);
+        throw error;
+      }
+    }
+  }
+  
+  // 然后签名Helper应用
+  for (const helperPath of helpersToSign) {
+    const fullPath = path.join(appPath, helperPath);
+    
+    if (fs.existsSync(fullPath)) {
+      console.log(`签名Helper: ${helperPath}`);
+      
+      try {
+        const signCommand = [
+          'codesign',
+          '--sign', `"${fullIdentity}"`,
+          '--force',
+          '--verbose',
+          '--options', 'runtime',
+          '--timestamp',
+          '--entitlements', `"${childEntitlementsPath}"`,
+          `"${fullPath}"`
+        ].join(' ');
+        
+        execSync(signCommand, { stdio: 'inherit' });
+        console.log(`✓ 成功签名: ${helperPath}`);
+        
+        // 验证签名（不影响构建成功）
+        try {
+          execSync(`codesign --verify --verbose=2 "${fullPath}"`, { stdio: 'inherit' });
+          console.log(`✓ ${helperPath} 签名验证成功`);
+        } catch (verifyError) {
+          console.warn(`⚠️ ${helperPath} 签名验证失败（但不影响构建）:`, verifyError.message);
+        }
+        
+      } catch (error) {
+        console.error(`✗ 签名失败: ${helperPath}`, error.message);
+        throw error;
+      }
+    } else {
+      console.log(`跳过不存在的Helper: ${helperPath}`);
+    }
+  }
+  
+  // 最后重新签名主应用
+  console.log('重新签名主应用...');
+  try {
+    const mainSignCommand = [
+      'codesign',
+      '--sign', `"${fullIdentity}"`,
+      '--force',
+      '--verbose',
+      '--options', 'runtime',
+      '--timestamp',
+      '--entitlements', `"${entitlementsPath}"`,
+      `"${appPath}"`
+    ].join(' ');
+    
+    execSync(mainSignCommand, { stdio: 'inherit' });
+    console.log('✓ 主应用签名成功');
+    
+    // 验证主应用签名（不影响构建成功）
+    console.log('验证主应用签名...');
+    try {
+      execSync(`codesign --verify --verbose=2 "${appPath}"`, { stdio: 'inherit' });
+      console.log('✓ 主应用签名验证成功');
+    } catch (verifyError) {
+      console.warn('⚠️ 主应用签名验证失败（但不影响构建）:', verifyError.message);
+    }
+    
+    try {
+      execSync(`spctl --assess --verbose --type execute "${appPath}"`, { stdio: 'inherit' });
+      console.log('✓ Gatekeeper 评估成功');
+    } catch (gatekeeperError) {
+      console.warn('⚠️ Gatekeeper 评估失败（在CI环境中这是正常的）:', gatekeeperError.message);
+    }
+    
+  } catch (error) {
+    console.error('✗ 主应用签名失败', error.message);
+    throw error;
+  }
+  
+  console.log('所有组件签名完成!');
+}; 

build/pkg-scripts/postinstall

@@ -79,10 +79,6 @@ cat << EOF > "$LAUNCH_DAEMON"
     <true/>
     <key>Program</key>
     <string>${HELPER_PATH}</string>
-    <key>StandardErrorPath</key>
-    <string>/tmp/party.mihomo.helper.err</string>
-    <key>StandardOutPath</key>
-    <string>/tmp/party.mihomo.helper.log</string>
 </dict>
 </plist>
 EOF

changelog.md

@@ -1,3 +1,23 @@
+## 1.7.4
+
+### 新功能 (Feat)
+- Mihomo 内核升级 v1.19.10
+- 改进 socket创建机制，防止 MacOS 下系统代理开启无法找到 socket 文件的问题
+- mihomo-party-helper增加更多日志，以方便调试
+- 改进 MacOS 下签名和公正流程
+- 增加 MacOS 下 plist 权限设置
+- 改进安装流程
+- 
+
+### 修复 (Fix)
+ - 修复mihomo-party-helper本地提权漏洞
+ - 修复 MacOS 下安装失败的问题
+- 移除节点页面的滚动位置记忆，解决页面溢出的问题
+- DNS hosts 设置在 useHosts 不为 true 时也会被错误应用的问题(#742)
+- 当用户在 Profile 设置中修改了更新间隔并保存后，新的间隔时间不会立即生效(#671)
+- 禁止选择器组件选择空值
+- 修复proxy-provider
+
 ## 1.7.3
 **注意：如安装后为英文，请在设置中反复选择几次不同语言以写入配置文件**
 

electron-builder.yml

@@ -1,5 +1,6 @@
 appId: party.mihomo.app
 productName: Mihomo Party
+afterSign: build/notarize.js
 directories:
   buildResources: build
 files:
@@ -39,12 +40,15 @@ mac:
   target:
     - pkg
   entitlementsInherit: build/entitlements.mac.plist
+  entitlements: build/entitlements.mac.plist
+  hardenedRuntime: true
+  gatekeeperAssess: false
   extendInfo:
     - NSCameraUsageDescription: Application requests access to the device's camera.
     - NSMicrophoneUsageDescription: Application requests access to the device's microphone.
     - NSDocumentsFolderUsageDescription: Application requests access to the user's Documents folder.
     - NSDownloadsFolderUsageDescription: Application requests access to the user's Downloads folder.
-  notarize: true
+  notarize: false
   artifactName: ${name}-macos-${version}-${arch}.${ext}
 pkg:
   allowAnywhere: false

package.json

@@ -1,6 +1,6 @@
 {
   "name": "mihomo-party",
-  "version": "1.7.3",
+  "version": "1.7.4",
   "description": "Mihomo Party",
   "main": "./out/main/index.js",
   "author": "mihomo-party-org",