Skip to content

Commit

Permalink
fix(release): MacOS DMG app code-sign Apple Silicon entitlements
Browse files Browse the repository at this point in the history
  • Loading branch information
danielweck committed Jun 24, 2024
1 parent 42885d6 commit e87dfe2
Show file tree
Hide file tree
Showing 3 changed files with 78 additions and 18 deletions.
2 changes: 1 addition & 1 deletion build/entitlements.mac.plist
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<key>com.apple.security.cs.allow-jit</key>
<true/>
</dict>
</plist>
92 changes: 76 additions & 16 deletions build/entitlements.mac.txt
Original file line number Diff line number Diff line change
@@ -1,24 +1,84 @@
syspolicy_check distribution "dist/mac/Ace by DAISY.app"

spctl -a -vvv -t open --context context:primary-signature "dist/mac/Ace by DAISY-1.3.2.dmg"
spctl -a -vvv -t install "dist/mac/Ace by DAISY-1.3.2.dmg"

codesign -dv --verbose=4 "dist/mac/Ace by DAISY-1.3.2.dmg"
codesign -dv --verbose=4 "dist/mac/Ace by DAISY.app"

<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.microphone</key>
<true/>

<key>com.apple.security.network.server</key>
<true/>
<key>com.apple.security.network.client</key>

<key>com.apple.security.files.user-selected.read-write</key>
<true/>

<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>

<key>com.apple.security.device.microphone</key>
<true/>

https://developer.apple.com/documentation/security/hardened_runtime

Runtime Exceptions

Allow Execution of JIT-compiled Code Entitlement
A Boolean value that indicates whether the app may create writable and executable memory using the MAP_JIT flag.
Key: com.apple.security.cs.allow-jit

Allow Unsigned Executable Memory Entitlement
A Boolean value that indicates whether the app may create writable and executable memory without the restrictions imposed by using the MAP_JIT flag.
Key: com.apple.security.cs.allow-unsigned-executable-memory

Allow DYLD Environment Variables Entitlement
A Boolean value that indicates whether the app may be affected by dynamic linker environment variables, which you can use to inject code into your app’s process.
Key: com.apple.security.cs.allow-dyld-environment-variables

Disable Library Validation Entitlement
A Boolean value that indicates whether the app loads arbitrary plug-ins or frameworks, without requiring code signing.
Key: com.apple.security.cs.disable-library-validation

Disable Executable Memory Protection Entitlement
A Boolean value that indicates whether to disable all code signing protections while launching an app, and during its execution.
Key: com.apple.security.cs.disable-executable-page-protection

Debugging Tool Entitlement
A Boolean value that indicates whether the app is a debugger and may attach to other processes or get task ports.
Key: com.apple.security.cs.debugger

Resource Access

Audio Input Entitlement
A Boolean value that indicates whether the app may record audio using the built-in microphone and access audio input using Core Audio.
Key: com.apple.security.device.audio-input

Camera Entitlement
A Boolean value that indicates whether the app may interact with the built-in and external cameras, and capture movies and still images.
Key: com.apple.security.device.camera

Location Entitlement
A Boolean value that indicates whether the app may access location information from Location Services.
Key: com.apple.security.personal-information.location

Address Book Entitlement

A Boolean value that indicates whether the app may have read-write access to contacts in the user's address book.
Key: com.apple.security.personal-information.addressbook

Calendars Entitlement

A Boolean value that indicates whether the app may have read-write access to the user's calendar.
Key: com.apple.security.personal-information.calendars

Photos Library Entitlement

A Boolean value that indicates whether the app has read-write access to the user's Photos library.
Key: com.apple.security.personal-information.photos-library

Apple Events Entitlement

A Boolean value that indicates whether the app may prompt the user for permission to send Apple events to other apps.
Key: com.apple.security.automation.apple-events
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@
},
"afterSign": "build/notarize.js",
"dmg": {
"sign": false,
"sign": true,
"contents": [
{
"x": 410,
Expand Down

0 comments on commit e87dfe2

Please sign in to comment.