Sign binaries after lipo-ing them since lipo drops signature added by the linker. Also, use JIT entitlement for signing executables.

TautvydasZilys · TautvydasZilys · commit 38cd7777739a · 2020-10-06T19:49:45.000-07:00
diff --git a/external/buildscripts/build_all_osx.pl b/external/buildscripts/build_all_osx.pl
@@ -110,7 +110,7 @@
 
 	for my $file ('mono')
 	{
-		MergeIntoFatBinary("$distDirSourceBinX64/$file", "$distDirSourceBinARM64/$file", "$distDirDestinationBin/$file");
+		MergeIntoFatBinary("$distDirSourceBinX64/$file", "$distDirSourceBinARM64/$file", "$distDirDestinationBin/$file", 1);
 	}
 
 	for my $file ('pedump')
@@ -121,7 +121,7 @@
 
 	for my $file ('libMonoPosixHelper.dylib')
 	{
-		MergeIntoFatBinary("$embedDirSourceX64/$file", "$embedDirSourceARM64/$file", "$distDirDestinationLib/$file");
+		MergeIntoFatBinary("$embedDirSourceX64/$file", "$embedDirSourceARM64/$file", "$distDirDestinationLib/$file", 0);
 	}
 
 	if ($buildMachine)
@@ -169,8 +169,17 @@ sub CopyEmbedRuntimeBinaries
 
 sub MergeIntoFatBinary
 {
-	my ($binary1, $binary2, $binaryOutput) = @_;
+	my ($binary1, $binary2, $binaryOutput, $isExe) = @_;
 
 	print(">>> Merging '$binary1' and '$binary2' into '$binaryOutput'\n\n");
 	system('lipo', "$binary1", "$binary2", "-create", "-output", "$binaryOutput") eq 0 or die("Failed to run lipo!");
-}
+
+	if ($isExe)
+	{
+		system("codesign", "--entitlements", $buildscriptsdir . "/entitlements.plist", "-s", "-", "$binaryOutput") eq 0 or die("Failed to codesign $binaryOutput!");
+	}
+	else
+	{
+		system("codesign", "-s", "-", "$binaryOutput") eq 0 or die("Failed to codesign $binaryOutput!");
+	}
+}
diff --git a/external/buildscripts/entitlements.plist b/external/buildscripts/entitlements.plist
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+</dict>
+</plist>
+
