Fix MAS entitlements and group IDs to prevent crash and Transporter rejection

CydeSwype · CydeSwype · commit 06ecf9afbe2d · 2026-01-26T20:31:30.000-08:00
diff --git a/desktop/entitlements.mas.inherit.plist b/desktop/entitlements.mas.inherit.plist
@@ -6,6 +6,10 @@
   <true/>
   <key>com.apple.security.inherit</key>
   <true/>
+  <key>com.apple.security.application-groups</key>
+  <array>
+    <string>group.4MSL3T2696.com.iandmiller.visualtimer</string>
+  </array>
   <key>com.apple.security.cs.allow-jit</key>
   <true/>
   <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
diff --git a/desktop/entitlements.mas.plist b/desktop/entitlements.mas.plist
@@ -4,6 +4,10 @@
 <dict>
   <key>com.apple.security.app-sandbox</key>
   <true/>
+  <key>com.apple.security.application-groups</key>
+  <array>
+    <string>group.4MSL3T2696.com.iandmiller.visualtimer</string>
+  </array>
   <key>com.apple.security.network.client</key>
   <true/>
   <key>com.apple.security.files.user-selected.read-write</key>
diff --git a/scripts/fix-mas-icon.js b/scripts/fix-mas-icon.js
@@ -118,7 +118,7 @@ exports.default = async function(context) {
               const helperPath = path.join(helpersPath, helper);
               if (fs.statSync(helperPath).isFile() && !helper.endsWith('.plist')) {
                 try {
-                  // Don't use --options runtime for MAS builds (that's for Developer ID only)
+                  // Don't use --options runtime for MAS builds
                   execSync(`codesign --force --sign "${identity}" --entitlements "${entitlementsInherit}" "${helperPath}"`, {
                     stdio: 'inherit'
                   });
@@ -172,10 +172,20 @@ exports.default = async function(context) {
             console.log('✅ Re-signed Electron Framework (bundle only)');
           }
           
+          // Check for provisioning profile to determine main app signing strategy
+          const hasProvisioningProfile = fs.existsSync(path.join(appBundlePath, 'Contents', 'embedded.provisionprofile'));
+          
           // Sign main app bundle last (no --options runtime for MAS builds)
-          execSync(`codesign --force --sign "${identity}" --entitlements "${entitlements}" "${appBundlePath}"`, {
-            stdio: 'inherit'
-          });
+          if (hasProvisioningProfile) {
+            console.log('Provisioning profile found. Signing WITHOUT --entitlements flag to avoid team-identifier error...');
+            execSync(`codesign --force --sign "${identity}" "${appBundlePath}"`, {
+              stdio: 'inherit'
+            });
+          } else {
+            execSync(`codesign --force --sign "${identity}" --entitlements "${entitlements}" "${appBundlePath}"`, {
+              stdio: 'inherit'
+            });
+          }
           console.log('✅ App bundle re-signed successfully');
         } catch (error) {
           console.error('❌ Failed to re-sign app bundle:', error.message);
