XS⚠️ ◾ 351 yakshaver code sign config#652
Conversation
PR Metrics✔ Thanks for keeping your pull request small.
Metrics computed by PR Metrics. Add it to your Azure DevOps and GitHub PRs! |
github-actions
bot
changed the title
There was a problem hiding this comment.
Pull request overview
This PR adds Apple code signing configuration to the Electron app build process to enable proper macOS distribution.
Changes:
- Updated macOS build target from "zip" to "default" with support for both arm64 and x64 architectures
- Added hardened runtime and Gatekeeper configuration with entitlements file
- Configured GitHub Actions workflow to use code signing secrets
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| electron-builder.config.js | Updated macOS build configuration with code signing settings and multi-architecture support |
| assets/entitlements.mac.plist | Added macOS entitlements file defining required permissions for camera, microphone, JIT compilation, and debugging |
| .github/workflows/release-electron-app.yml | Added environment variables for code signing certificate and password |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
assets/entitlements.mac.plist
Outdated
| <key>com.apple.security.cs.allow-jit</key> | ||
| <true/> | ||
| <key>com.apple.security.cs.allow-unsigned-executable-memory</key> | ||
| <true/> | ||
| <key>com.apple.security.cs.debugger</key> | ||
| <true/> |
There was a problem hiding this comment.
The entitlements include debugging and unsigned executable memory permissions which should not be enabled in production builds. These permissions (com.apple.security.cs.debugger, com.apple.security.cs.allow-unsigned-executable-memory, com.apple.security.cs.allow-jit) weaken the security posture and may be rejected by Apple during the notarization process. Consider removing these or creating separate entitlement files for development and production.
| <key>com.apple.security.cs.allow-jit</key> | |
| <true/> | |
| <key>com.apple.security.cs.allow-unsigned-executable-memory</key> | |
| <true/> | |
| <key>com.apple.security.cs.debugger</key> | |
| <true/> |
There was a problem hiding this comment.
The PR feedback is partially right and partially wrong.
- True:
com.apple.security.cs.debuggermust be removed. It lets anyone attach a debugger to your app and inspect its memory, which is a huge security risk for production. - False:
allow-jitandallow-unsigned-executable-memorymust stay. Electron apps (which run on Chromium/V8) require these to compile and run JavaScript. If you remove them, your app will crash immediately on startup. Apple is aware of this and allows these entitlements for Electron/web-based apps.
I have updated entitlements.mac.plist to remove the insecure debugger entitlement but kept the ones required for Electron to function.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
🚀 Pre-release build is available for this PR: |
|
🚀 Pre-release build is available for this PR: |
|
🚀 Pre-release build is available for this PR: |
|
🚀 Pre-release build is available for this PR: |
|
🚀 Pre-release build is available for this PR: |
|
🚀 Pre-release build is available for this PR: |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -39,6 +39,7 @@ | |||
| "devDependencies": { | |||
There was a problem hiding this comment.
❗ This file doesn't require review.
…mId configuration
|
🚀 Pre-release build is available for this PR: |
|
✅ Code sign & notarisation enabled 🚀 Pre-release build is available for this PR: |
|
🚀 Pre-release build is available for this PR: |
|
🚀 Pre-release build is available for this PR: |
…on environment variables
|
🚀 Pre-release build is available for this PR: |
…ic publishing and clean up environment variables
|
✅ Automated Release Created Successfully Release Details:
You can monitor the build progress in the Actions tab. |
2 participants
✏️
Added Apple Code Sign configuration
Add code Notarization
✏️