Add app entitlements for macOS

open-ephys · Feb 4, 2025 · 26f04c2 · 26f04c2
1 parent 10a19bc
commit 26f04c2
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/.github/workflows/osx.yml b/.github/workflows/osx.yml
@@ -62,9 +62,9 @@ jobs:
         security unlock-keychain -p $MACOS_CI_KEYCHAIN_PWD build.keychain
         security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
         security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CI_KEYCHAIN_PWD build.keychain
-        /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v open-ephys/Open\ Ephys\ GUI.app --deep --strict --timestamp --options=runtime
+        /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v open-ephys/Open\ Ephys\ GUI.app --deep --strict --timestamp --options=runtime --entitlements ../../Resources/Build-files/entitlements.plist
 
-        /usr/bin/codesign -dv --verbose=4 open-ephys/Open\ Ephys\ GUI.app
+        /usr/bin/codesign -dv --verbose=4 --entitlements - open-ephys/Open\ Ephys\ GUI.app
 
         # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
 
@@ -124,9 +124,9 @@ jobs:
         security unlock-keychain -p $MACOS_CI_KEYCHAIN_PWD build.keychain
         security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
         security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CI_KEYCHAIN_PWD build.keychain
-        /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v open-ephys/Open\ Ephys\ GUI.app --deep --strict --timestamp --options=runtime
+        /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" -v open-ephys/Open\ Ephys\ GUI.app --deep --strict --timestamp --options=runtime --entitlements ../../Resources/Build-files/entitlements.plist
 
-        /usr/bin/codesign -dv --verbose=4 open-ephys/Open\ Ephys\ GUI.app
+        /usr/bin/codesign -dv --verbose=4 --entitlements - open-ephys/Open\ Ephys\ GUI.app
 
         # Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
 

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -302,6 +302,7 @@ endif()
 		XCODE_ATTRIBUTE_CLANG_LINK_OBJC_RUNTIME NO
 		XCODE_ATTRIBUTE_PRODUCT_BUNDLE_IDENTIFIER "org.open-ephys.gui"
 		XCODE_ATTRIBUTE_EXECUTABLE_NAME "open-ephys"
+		XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "${CMAKE_CURRENT_SOURCE_DIR}/Resources/Build-files/entitlements.plist"
 		)
 
 		set(MAC_RESOURCE_FILES

diff --git a/Resources/Build-files/entitlements.plist b/Resources/Build-files/entitlements.plist
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>