Files
datatools-dev/build/macos/entitlements.plist
Michael 41ab2166ef build(ci): wire macOS code signing + notarization into release workflow
Add a guarded "Sign & notarize macOS app" step to build.yml that signs
dist/DataTools.app with the Developer ID (hardened runtime + entitlements
+ secure timestamp), notarizes via notarytool, and staples the ticket —
running before DMG packaging. The step exits 0 with a warning when the
MACOS_* secrets are absent, so dry-run dispatches still produce an
(unsigned) build.

Add build/macos/entitlements.plist with the hardened-runtime entitlements
a frozen PyInstaller/CPython app needs (JIT memory, library-validation
disabled for bundled .so/.dylib + Tesseract). Update build/README.md to
reflect that macOS signing is now wired and only needs the secrets.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 22:56:17 +00:00

29 lines
1.2 KiB
Plaintext

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!--
Hardened-runtime entitlements for the notarized DataTools.app.
PyInstaller freezes a CPython interpreter that maps writable+executable
memory and loads many unsigned .so/.dylib modules at runtime. Without
these entitlements the hardened runtime kills the process on launch
(or notarization rejects the bundle). Keep this list minimal — the app
is a local-only Streamlit server, so no network-server/device/camera
entitlements are needed.
-->
<plist version="1.0">
<dict>
<!-- CPython JIT-style writable/executable memory + ctypes trampolines -->
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<!-- Load the bundled C-extension .so / .dylib modules (pandas, pdfplumber,
Pillow, the bundled Tesseract dylibs) that aren't Team-ID signed -->
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<!-- Launcher sets DATATOOLS_*/TESSDATA_PREFIX/PYTHON* before exec -->
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
</dict>
</plist>