From 1a434fc39d694d7d350ea07c170443fa848571b4 Mon Sep 17 00:00:00 2001
From: Arie Gurfinkel <arie@certora.com>
Date: Sat, 7 Dec 2024 13:57:52 -0500
Subject: [PATCH] feat: add entitelments to signing

---
 scripts/hardened_runtime_entitlements.plist | 2 ++
 scripts/sign.sh                             | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 scripts/hardened_runtime_entitlements.plist

diff --git a/scripts/hardened_runtime_entitlements.plist b/scripts/hardened_runtime_entitlements.plist
new file mode 100644
index 0000000..85c2a83
--- /dev/null
+++ b/scripts/hardened_runtime_entitlements.plist
@@ -0,0 +1,2 @@
+<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+<true/>
diff --git a/scripts/sign.sh b/scripts/sign.sh
index 9f96c1d..8abd765 100755
--- a/scripts/sign.sh
+++ b/scripts/sign.sh
@@ -22,7 +22,7 @@ for FILE_PATH in $FILES_TO_SIGN; do
     security unlock-keychain -p "$APPLE_TEMPKEYCHAIN_PASSWORD" "$APPLE_TEMPKEYCHAIN_NAME"
 
     # sign the binary
-    codesign -o runtime --force --timestamp -s "$APPLE_CODESIGN_IDENTITY" -v $FILE_PATH
+    codesign -o runtime --force --timestamp --entitlements ./scripts/hardened_runtime_entitlements.plist -s "$APPLE_CODESIGN_IDENTITY" -v $FILE_PATH
 
     # notarize binary
     ditto -c -k $FILE_PATH $FILE_NAME.zip # notarization require zip files