From 395152384156c6265598fb92412920a5202295e7 Mon Sep 17 00:00:00 2001
From: Pierre Chalamet <pierre@magnusopera.io>
Date: Sat, 7 Feb 2026 22:08:18 +0100
Subject: [PATCH] update entitlements

---
 .github/workflows/on-push-tag.yml          | 1 +
 .github/workflows/on-release-published.yml | 8 +++-----
 entitlements.plist                         | 8 +-------
 3 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/on-push-tag.yml b/.github/workflows/on-push-tag.yml
index 104ab248..98569187 100644
--- a/.github/workflows/on-push-tag.yml
+++ b/.github/workflows/on-push-tag.yml
@@ -49,6 +49,7 @@ jobs:
           (cd .out/windows/arm64; zip ../../terrabuild-${BUILD_VERSION}-windows-arm64.zip ./*)
           (cd .out/linux/x64; zip ../../terrabuild-${BUILD_VERSION}-linux-x64.zip ./*)
           (cd .out/linux/arm64; zip ../../terrabuild-${BUILD_VERSION}-linux-arm64.zip ./*)
+          cp entitlements.plist .out/darwin/entitlements.plist
           (cd .out/darwin; zip -r ../terrabuild-${BUILD_VERSION}-darwin-unsigned.zip ./*)
 
       - name: Extract Version Suffix
diff --git a/.github/workflows/on-release-published.yml b/.github/workflows/on-release-published.yml
index 384d205e..56dd5a11 100644
--- a/.github/workflows/on-release-published.yml
+++ b/.github/workflows/on-release-published.yml
@@ -31,9 +31,6 @@ jobs:
   sign-and-notarize:
     runs-on: macos-latest
     steps:
-      - name: Cloning repository
-        uses: actions/checkout@v4
-
       - name: Download Github Release artifacts
         uses: robinraju/release-downloader@v1.11
         with:
@@ -44,6 +41,7 @@ jobs:
         run: |
           mkdir -p .out/darwin
           unzip -d .out/darwin terrabuild-${{ github.ref_name }}-darwin-unsigned.zip
+          test -f .out/darwin/entitlements.plist
 
       - name: Add Cert to Keychain
         uses: apple-actions/import-codesign-certs@v3
@@ -53,8 +51,8 @@ jobs:
 
       - name: Sign Binaries
         run: |
-          codesign --force --timestamp --sign "Developer ID Application: Magnus Opera (${{ secrets.MAC_DEV_TEAM_ID }})" .out/darwin/arm64/terrabuild --options=runtime --no-strict --entitlements entitlements.plist
-          codesign --force --timestamp --sign "Developer ID Application: Magnus Opera (${{ secrets.MAC_DEV_TEAM_ID }})" .out/darwin/x64/terrabuild --options=runtime --no-strict --entitlements entitlements.plist
+          codesign --force --timestamp --sign "Developer ID Application: Magnus Opera (${{ secrets.MAC_DEV_TEAM_ID }})" .out/darwin/arm64/terrabuild --options=runtime --no-strict --entitlements .out/darwin/entitlements.plist
+          codesign --force --timestamp --sign "Developer ID Application: Magnus Opera (${{ secrets.MAC_DEV_TEAM_ID }})" .out/darwin/x64/terrabuild --options=runtime --no-strict --entitlements .out/darwin/entitlements.plist
           (cd .out/darwin/arm64; zip ../terrabuild-${{ github.ref_name }}-darwin-arm64.zip ./*)
           (cd .out/darwin/x64; zip ../terrabuild-${{ github.ref_name }}-darwin-x64.zip ./*)
 
diff --git a/entitlements.plist b/entitlements.plist
index 82032a55..452c3be2 100644
--- a/entitlements.plist
+++ b/entitlements.plist
@@ -4,11 +4,5 @@
   <dict>
     <key>com.apple.security.cs.allow-jit</key>
       <true/>
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-      <true/>
-    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
-      <true/>
-    <key>com.apple.security.cs.disable-library-validation</key>
-      <true/>
   </dict>
-</plist>
\ No newline at end of file
+</plist>