Incorrect permissions in macOS export bundle blocks upload to App Store

[lostminds]

Godot version

4.1.beta2

System information

macOS 13.3.1

Issue description

Trying out macOS export in the new 4.1 beta I've run into a new issue. While the previous issues (see #74154 and #73876) now seems to be handles correctly, which makes the process much smoother for generating a macOS .pck for upload to the App Store, unfortunately a new error has cropped up in validation when uploading the package via Transporter:

Asset validation failed (90255)
The installer package includes files that are only readable by the root user. This will prevent verification of the application's code signature when your app is run. Ensure that non-root users can read the files in your app. (ID: 8a1239bb-7ef7-4350-8ba4-9beb5d9e12b2)

It seems this is caused by some files in the bundle not having read permission for everyone, and inspecting the bundle for example the Resources .pck, icon, PkgInfo and even info.plist are all set to no access for the everyone group, with only Read and Write access for my user. This seems to be a regression since app bundles exported by previous versions of Godot 4.x to not have this issue.

However, trying to change the permissions of these files in the bundle and then manually signing and creating the pkg doesn't seem to solve the problem, so it may be that the incorrect permissions on these files aren't the issue, just another symptom of some underlying issue that is setting incorrect permissions files in macOS exports. Or I'm for some reason not finding all the files with these issues.

Steps to reproduce

Reproducing the entire process of signing and packaging up an application to upload it to the Apple App Store via Transporter is complex and requires a bit of work. However, if I'm correct that this is an issue at the core with the basic permissions of files in exported macOS app bundles all you need to do is export any project, like the simple MRP below with a basic macOS export prepared.

• Open the reproduction project and export it using the macOS preset defined.
• Inspect the exported test.app bundle and observe that multiple files in there have permissions no access set for everyone.

Minimal reproduction project

MacExportPermissionsTest.zip

[bruvzg]

Seems like regression from #75074.

Apparently, mkstemp default to 0600 instead of usual 0666 used by fopen.

POSIX.1-2008 adds a requirement that the file be created with mode 0600.

[lostminds]

I did some more testing and was now able to fix it. Using chmod -r to recursively change the permissions on all files in the bundle to all be 755 (rwxr-xr-x) which seems to be the expected permissions based on what I could see in other app bundles. I was then able to sign, package and upload the pkg via Transporter without further issues. So the permissions were definitely the cause asset validation failure in Transporter.

[adamscott]

I wonder if #78347 fixed this issue correctly, as the fix seems to change the permissions to 755, but that's not what #78347 seemed to do.