From b3c99136b0a338a82b7421d17da68cf8ee8a1f2b Mon Sep 17 00:00:00 2001 From: haritabh-z01 Date: Tue, 12 Aug 2025 15:08:03 +0530 Subject: [PATCH] chore: update entitlments for node binaries --- apps/desktop/entitlements.node.plist | 11 +++++++++++ apps/desktop/forge.config.ts | 14 ++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 apps/desktop/entitlements.node.plist diff --git a/apps/desktop/entitlements.node.plist b/apps/desktop/entitlements.node.plist new file mode 100644 index 0000000..09ac564 --- /dev/null +++ b/apps/desktop/entitlements.node.plist @@ -0,0 +1,11 @@ + + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + + \ No newline at end of file diff --git a/apps/desktop/forge.config.ts b/apps/desktop/forge.config.ts index 966884c..f64464a 100644 --- a/apps/desktop/forge.config.ts +++ b/apps/desktop/forge.config.ts @@ -296,6 +296,20 @@ const config: ForgeConfig = { : { osxSign: { identity: process.env.CODESIGNING_IDENTITY, + // Apply different entitlements based on file path + optionsForFile: (filePath: string) => { + // Apply minimal entitlements to Node binary + if (filePath.includes('node-binaries')) { + return { + entitlements: './entitlements.node.plist', + hardenedRuntime: true, + }; + } + // Use default entitlements for everything else + // https://www.npmjs.com/package/@electron/osx-sign#opts + // !still need to do any + return null as any; + }, }, // Notarization for macOS ...(process.env.SKIP_NOTARIZATION === "true"