From 97331ce7bd0bd65891ddb25984ebf28ee59c888b Mon Sep 17 00:00:00 2001 From: Philipp Wolfer Date: Tue, 5 Nov 2019 12:25:16 +0100 Subject: [PATCH] PICARD-1653: Enable macOS "Hardened Runtime" --- scripts/package/entitlements.plist | 6 ++++++ scripts/package/package-osx.sh | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 scripts/package/entitlements.plist diff --git a/scripts/package/entitlements.plist b/scripts/package/entitlements.plist new file mode 100644 index 000000000..8556f5e2b --- /dev/null +++ b/scripts/package/entitlements.plist @@ -0,0 +1,6 @@ + + + com.apple.security.cs.allow-unsigned-executable-memory + + + diff --git a/scripts/package/package-osx.sh b/scripts/package/package-osx.sh index 93aa83342..3dbd568cc 100755 --- a/scripts/package/package-osx.sh +++ b/scripts/package/package-osx.sh @@ -42,7 +42,10 @@ cd dist ditto -rsrc --arch x86_64 'MusicBrainz Picard.app' 'MusicBrainz Picard.tmp' rm -r 'MusicBrainz Picard.app' mv 'MusicBrainz Picard.tmp' 'MusicBrainz Picard.app' -[ "$CODESIGN" = '1' ] && codesign --keychain $KEYCHAIN_PATH --verify --verbose --deep --sign "$CERTIFICATE_NAME" 'MusicBrainz Picard.app' +[ "$CODESIGN" = '1' ] && codesign --verify --verbose --deep \ + --options runtime --entitlements scripts/package/entitlements.plist \ + --keychain $KEYCHAIN_PATH --sign "$CERTIFICATE_NAME" \ + "MusicBrainz Picard.app" # Verify Picard executable works and required dependencies are bundled VERSIONS=$("MusicBrainz Picard.app/Contents/MacOS/picard-run" --long-version)