chore: add jit entitlements for macos signing (#16)

captainsafia · web-flow · commit 0fe06f152e7c · 2025-12-20T20:56:41.000-08:00
diff --git a/.github/workflows/assets/entitlements.plist b/.github/workflows/assets/entitlements.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+</dict>
+</plist>
diff --git a/.github/workflows/pr-publish.yml b/.github/workflows/pr-publish.yml
@@ -107,9 +107,9 @@ jobs:
           IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F'"' '{print $2}')
           echo "Signing with identity: $IDENTITY"
 
-          # Sign both binaries
-          codesign --force --options runtime --timestamp --sign "$IDENTITY" grove-darwin-x64
-          codesign --force --options runtime --timestamp --sign "$IDENTITY" grove-darwin-arm64
+          # Sign both binaries with JIT entitlements
+          codesign --force --options runtime --timestamp --entitlements .github/workflows/assets/entitlements.plist --sign "$IDENTITY" grove-darwin-x64
+          codesign --force --options runtime --timestamp --entitlements .github/workflows/assets/entitlements.plist --sign "$IDENTITY" grove-darwin-arm64
 
           # Verify signatures
           codesign --verify --verbose grove-darwin-x64
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -120,9 +120,9 @@ jobs:
           IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F'"' '{print $2}')
           echo "Signing with identity: $IDENTITY"
 
-          # Sign both binaries
-          codesign --force --options runtime --timestamp --sign "$IDENTITY" grove-darwin-x64
-          codesign --force --options runtime --timestamp --sign "$IDENTITY" grove-darwin-arm64
+          # Sign both binaries with JIT entitlements
+          codesign --force --options runtime --timestamp --entitlements .github/workflows/assets/entitlements.plist --sign "$IDENTITY" grove-darwin-x64
+          codesign --force --options runtime --timestamp --entitlements .github/workflows/assets/entitlements.plist --sign "$IDENTITY" grove-darwin-arm64
 
           # Verify signatures
           codesign --verify --verbose grove-darwin-x64
