add macOs entitlements (#4955)

* add macOs entitlements

* notarize apple binaries

Author: peterjah

.github/actions/sign-macos/action.yml

@@ -46,7 +46,7 @@ runs:
             ENTITLEMENTS_ARG="--entitlements ${{ inputs.entitlements }}"
           fi
 
-          codesign --force --options runtime --timestamp $ENTITLEMENTS_ARG\
+          codesign --force --options runtime --timestamp $ENTITLEMENTS_ARG \
             --sign "${{ inputs.signing-identity }}" "$path"
 
           echo "🔍 Verifying signature for: $path"

.github/actions/sign-macos/entitlements.plist

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <!-- Allow unsigned executable memory (required for WASM/JIT execution) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+</dict>
+</plist>

.github/workflows/cd.yml

@@ -108,14 +108,24 @@ jobs:
           SM_CERT_FINGERPRINT: ${{ secrets.SM_CERT_FINGERPRINT }}
           SM_HOST: ${{ secrets.SM_HOST }}
 
-      - name: Sign Macos binaries
+      - name: Sign macOS binaries
         uses: ./.github/actions/sign-macos
         if: ${{ runner.os == 'macOS' }}
         with:
           paths: "$MASSA_CLIENT_PATH $MASSA_NODE_PATH"
           certificate-p12-base64: ${{ secrets.APPLE_CERTIFICATE_P12_BASE64 }}
           certificate-password: ${{ secrets.APPLE_CERTIFICATE_P12_PASSWORD }}
           signing-identity: ${{ vars.APPLE_DEVELOPER_ID_APPLICATION }}
+          entitlements: .github/actions/sign-macos/entitlements.plist
+
+      - name: Notarize macOS binaries
+        uses: ./.github/actions/notarize-macos
+        if: ${{ runner.os == 'macOS' }}
+        with:
+          paths: "$MASSA_CLIENT_PATH $MASSA_NODE_PATH"
+          apple-id: ${{ secrets.APPLE_ID }}
+          apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
+          apple-app-password: ${{ secrets.APPLE_APP_PASSWORD }}
 
       - name: Package
         shell: bash