From e87dfe253870335a5b6ef75b9284cc1d58ece4ff Mon Sep 17 00:00:00 2001 From: Daniel Weck Date: Mon, 24 Jun 2024 17:42:58 +0100 Subject: [PATCH] fix(release): MacOS DMG app code-sign Apple Silicon entitlements --- build/entitlements.mac.plist | 2 +- build/entitlements.mac.txt | 92 +++++++++++++++++++++++++++++------- package.json | 2 +- 3 files changed, 78 insertions(+), 18 deletions(-) diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist index d6b93bc..446fe17 100644 --- a/build/entitlements.mac.plist +++ b/build/entitlements.mac.plist @@ -2,7 +2,7 @@ - com.apple.security.cs.allow-unsigned-executable-memory + com.apple.security.cs.allow-jit diff --git a/build/entitlements.mac.txt b/build/entitlements.mac.txt index 12c9c64..85819ca 100644 --- a/build/entitlements.mac.txt +++ b/build/entitlements.mac.txt @@ -1,24 +1,84 @@ +syspolicy_check distribution "dist/mac/Ace by DAISY.app" + +spctl -a -vvv -t open --context context:primary-signature "dist/mac/Ace by DAISY-1.3.2.dmg" +spctl -a -vvv -t install "dist/mac/Ace by DAISY-1.3.2.dmg" + +codesign -dv --verbose=4 "dist/mac/Ace by DAISY-1.3.2.dmg" +codesign -dv --verbose=4 "dist/mac/Ace by DAISY.app" + com.apple.security.network.client -com.apple.security.files.user-selected.read-write - -com.apple.security.cs.allow-jit - -com.apple.security.cs.allow-dyld-environment-variables - -com.apple.security.cs.disable-library-validation - -com.apple.security.device.camera - -com.apple.security.device.audio-input - -com.apple.security.device.microphone - + com.apple.security.network.server -com.apple.security.network.client + +com.apple.security.files.user-selected.read-write + com.apple.security.files.user-selected.read-only -com.apple.security.files.user-selected.read-write + +com.apple.security.device.microphone + +https://developer.apple.com/documentation/security/hardened_runtime + +Runtime Exceptions + +Allow Execution of JIT-compiled Code Entitlement +A Boolean value that indicates whether the app may create writable and executable memory using the MAP_JIT flag. +Key: com.apple.security.cs.allow-jit + +Allow Unsigned Executable Memory Entitlement +A Boolean value that indicates whether the app may create writable and executable memory without the restrictions imposed by using the MAP_JIT flag. +Key: com.apple.security.cs.allow-unsigned-executable-memory + +Allow DYLD Environment Variables Entitlement +A Boolean value that indicates whether the app may be affected by dynamic linker environment variables, which you can use to inject code into your app’s process. +Key: com.apple.security.cs.allow-dyld-environment-variables + +Disable Library Validation Entitlement +A Boolean value that indicates whether the app loads arbitrary plug-ins or frameworks, without requiring code signing. +Key: com.apple.security.cs.disable-library-validation + +Disable Executable Memory Protection Entitlement +A Boolean value that indicates whether to disable all code signing protections while launching an app, and during its execution. +Key: com.apple.security.cs.disable-executable-page-protection + +Debugging Tool Entitlement +A Boolean value that indicates whether the app is a debugger and may attach to other processes or get task ports. +Key: com.apple.security.cs.debugger + +Resource Access + +Audio Input Entitlement +A Boolean value that indicates whether the app may record audio using the built-in microphone and access audio input using Core Audio. +Key: com.apple.security.device.audio-input + +Camera Entitlement +A Boolean value that indicates whether the app may interact with the built-in and external cameras, and capture movies and still images. +Key: com.apple.security.device.camera + +Location Entitlement +A Boolean value that indicates whether the app may access location information from Location Services. +Key: com.apple.security.personal-information.location + +Address Book Entitlement + +A Boolean value that indicates whether the app may have read-write access to contacts in the user's address book. +Key: com.apple.security.personal-information.addressbook + +Calendars Entitlement + +A Boolean value that indicates whether the app may have read-write access to the user's calendar. +Key: com.apple.security.personal-information.calendars + +Photos Library Entitlement + +A Boolean value that indicates whether the app has read-write access to the user's Photos library. +Key: com.apple.security.personal-information.photos-library + +Apple Events Entitlement + +A Boolean value that indicates whether the app may prompt the user for permission to send Apple events to other apps. +Key: com.apple.security.automation.apple-events diff --git a/package.json b/package.json index a4a8356..cf569a5 100755 --- a/package.json +++ b/package.json @@ -42,7 +42,7 @@ }, "afterSign": "build/notarize.js", "dmg": { - "sign": false, + "sign": true, "contents": [ { "x": 410,