From 8f60d37400c8b2e37fed2fb7af196891a983107c Mon Sep 17 00:00:00 2001
From: Jorben <jorbenzhu@gmail.com>
Date: Wed, 11 Feb 2026 01:39:19 +0800
Subject: [PATCH] =?UTF-8?q?build(mac):=20=F0=9F=93=A6=20add=20Apple=20Deve?=
 =?UTF-8?q?loper=20code=20signing=20support?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add entitlements plist with hardened runtime permissions (JIT,
  unsigned memory, library validation, network client)
- Configure electron-builder for code signing with hardened runtime
- Pass CSC_LINK/CSC_KEY_PASSWORD to CI build for automatic signing
- Set forceCodeSigning: false so unsigned builds still succeed

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml |  2 ++
 build/entitlements.mac.plist  | 14 ++++++++++++++
 package.json                  |  8 +++++++-
 3 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 build/entitlements.mac.plist

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b352a89..3bb90f9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -47,6 +47,8 @@ jobs:
         run: npm run build:${{ matrix.platform }}
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }}
+          CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
 
       - name: Upload release assets
         uses: softprops/action-gh-release@v2
diff --git a/build/entitlements.mac.plist b/build/entitlements.mac.plist
new file mode 100644
index 0000000..c0052ff
--- /dev/null
+++ b/build/entitlements.mac.plist
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>com.apple.security.cs.allow-jit</key>
+  <true/>
+  <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+  <true/>
+  <key>com.apple.security.cs.disable-library-validation</key>
+  <true/>
+  <key>com.apple.security.network.client</key>
+  <true/>
+</dict>
+</plist>
diff --git a/package.json b/package.json
index af024f5..c6dc94e 100644
--- a/package.json
+++ b/package.json
@@ -79,8 +79,14 @@
     },
     "mac": {
       "category": "public.app-category.productivity",
+      "target": ["dmg"],
       "artifactName": "${productName}-${version}-${arch}.${ext}",
-      "icon": "public/icons/mac/icon.icns"
+      "icon": "public/icons/mac/icon.icns",
+      "hardenedRuntime": true,
+      "gatekeeperAssess": false,
+      "entitlements": "build/entitlements.mac.plist",
+      "entitlementsInherit": "build/entitlements.mac.plist",
+      "forceCodeSigning": false
     },
     "win": {
       "target": "nsis",