feat: state of the art signing for macOS with entitlements and verification

Co-authored-by: shouze <54712+shouze@users.noreply.github.com>

Author: Copilot

build.ts

@@ -88,14 +88,33 @@ console.log(`  Built ${outfile}`);
 // ─── Ad-hoc codesign (macOS only) ────────────────────────────────────────────
 
 if (targetOs === "darwin" && process.platform === "darwin") {
-  const sign = Bun.spawn(["codesign", "--force", "--sign", "-", outfile], {
-    stdout: "inherit",
-    stderr: "inherit",
-  });
+  const sign = Bun.spawn(
+    [
+      "codesign",
+      "--deep",
+      "--force",
+      "--sign",
+      "-",
+      "--entitlements",
+      `${import.meta.dir}/entitlements.plist`,
+      outfile,
+    ],
+    { stdout: "inherit", stderr: "inherit" },
+  );
   const signCode = await sign.exited;
   if (signCode !== 0) {
     console.error(`codesign failed (exit ${signCode})`);
     process.exit(signCode);
   }
   console.log(`  Codesigned ${outfile}`);
+
+  const verify = Bun.spawn(["codesign", "--verify", "--verbose", outfile], {
+    stdout: "inherit",
+    stderr: "inherit",
+  });
+  const verifyCode = await verify.exited;
+  if (verifyCode !== 0) {
+    console.error(`codesign verification failed (exit ${verifyCode})`);
+    process.exit(verifyCode);
+  }
 }

entitlements.plist

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>