add entitlements, fixes "Unable to load Java Runtime Environment"

benfry · Sep 16, 2020 · 7374956 · 7374956
1 parent d24b843
commit 7374956
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/build/build.xml b/build/build.xml
@@ -822,11 +822,13 @@
 
     <!-- Replace libjli.dylib symlink with actual file.
          Deals with code signing issues on OS X 10.9.5+ -->
+    <!--
     <property name="jli.path" value="${contents.dir}/PlugIns/${jdk.prefix}-${jdk.esoteric}+${jdk.build}/Contents/MacOS/libjli.dylib" />
     <delete file="${jli.path}" />
     <exec executable="cp">
       <arg line="${jdk.path.macosx}/Contents/Home/lib/jli/libjli.dylib ${jli.path}"/>
     </exec>
+    -->
 
     <copy todir="${contents.dir}/Java" preservelastmodified="true">
       <fileset dir=".." includes="core/library/**" /> <!-- why this? -->
@@ -947,12 +949,17 @@
 
     <exec executable="/usr/bin/codesign" dir="macosx/work" failonerror="true">
       <arg value="--force" />
+
       <arg value="--sign" />
       <arg value="Developer ID Application" />
+
+      <arg value="--entitlements" />
+      <arg value="../ffs.entitlements" />
+
       <arg value="Processing.app/Contents/PlugIns/jdk-${jdk.esoteric}+${jdk.build}" />
     </exec>
 
-    <!-- codesign can't work inside jars, so instead temporarily unpack the files
+    <!-- codesign can't work inside jars? so instead temporarily unpack the files
          that contain dylib entries, just before doing our big signing event -->
 
     <property name="unpack.jogl" value="macosx/work/Processing.app/Contents/Java/core/library/jogl-all-natives-macosx-universal" />
@@ -979,6 +986,9 @@
       <!-- remove all other signatures -->
       <arg value="--force" />
 
+      <arg value="--entitlements" />
+      <arg value="../ffs.entitlements" />
+
       <!-- recursively sign everything -->
       <arg value="--deep" />
 
@@ -1023,6 +1033,9 @@
       <!-- recursively sign everything -->
       <arg value="--deep" />
 
+      <arg value="--entitlements" />
+      <arg value="../ffs.entitlements" />
+
       <!-- enable the "hardened runtime" -->
       <arg value="--options" />
       <arg value="runtime" />
@@ -1073,8 +1086,7 @@
     <echo>
       Check on notarization status with:
 
-      xcrun altool -u $PROCESSING_APPLE_ID -p $PROCESSING_APP_PASSWORD \
-        --notarization-info [the RequestUUID above]
+      xcrun altool -u $PROCESSING_APPLE_ID -p $PROCESSING_APP_PASSWORD --notarization-info [the RequestUUID above]
     </echo>
   </target>
 

diff --git a/build/macosx/ffs.entitlements b/build/macosx/ffs.entitlements
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-executable-page-protection</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+</dict>
+</plist>