let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity

fix(mac): disable restricted time-sensitive entitlement

Browse Source
This commit is contained in:
Peter Steinberger
2025-12-12 19:20:47 +00:00
parent d2158966db
commit e2ad0ed9f7
2 changed files with 14 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
scripts/codesign-mac-app.sh
View File

@@ -51,14 +51,8 @@ cat > "$ENT_TMP_BASE" <<'PLIST'
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.hardened-runtime</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
</dict>
</plist>
PLIST
@@ -68,14 +62,8 @@ cat > "$ENT_TMP_APP_BASE" <<'PLIST'
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.hardened-runtime</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
</dict>
</plist>
PLIST
@@ -87,29 +75,20 @@ cat > "$ENT_TMP_APP" <<'PLIST'
<dict>
<key>com.apple.developer.usernotifications.time-sensitive</key>
<true/>
<key>com.apple.security.hardened-runtime</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
</dict>
</plist>
PLIST
# The time-sensitive entitlement is restricted and needs to be present in a
# matching provisioning profile when using Apple Development signing.
# Avoid breaking local debug builds by only enabling it when forced, or when
# using distribution-style identities.
# The time-sensitive entitlement is restricted and requires explicit enablement
# (and typically a matching provisioning profile). It is *not* safe to enable
# unconditionally for local debug packaging since AMFI will refuse to launch.
APP_ENTITLEMENTS="$ENT_TMP_APP_BASE"
if [[ "${ENABLE_TIME_SENSITIVE_NOTIFICATIONS:-}" == "1" ]]; then
APP_ENTITLEMENTS="$ENT_TMP_APP"
elif [[ "$IDENTITY" == *"Developer ID Application"* ]] || [[ "$IDENTITY" == *"Apple Distribution"* ]]; then
APP_ENTITLEMENTS="$ENT_TMP_APP"
else
echo "Note: Time Sensitive Notifications entitlement disabled for this signing identity."
echo "Note: Time Sensitive Notifications entitlement disabled."
echo " To force it: ENABLE_TIME_SENSITIVE_NOTIFICATIONS=1 scripts/codesign-mac-app.sh <app>"
fi

11
scripts/restart-mac.sh
View File

@@ -86,7 +86,16 @@ choose_app_bundle() {
choose_app_bundle
# 4) Launch the installed app in the foreground so the menu bar extra appears.
run_step "launch app" open "${APP_BUNDLE}"
# LaunchServices can inherit a huge environment from this shell (secrets, prompt vars, etc.).
# That can cause launchd spawn failures and is undesirable for a GUI app anyway.
run_step "launch app" env -i \
HOME="${HOME}" \
USER="${USER:-$(id -un)}" \
LOGNAME="${LOGNAME:-$(id -un)}" \
TMPDIR="${TMPDIR:-/tmp}" \
PATH="/usr/bin:/bin:/usr/sbin:/sbin" \
LANG="${LANG:-en_US.UTF-8}" \
/usr/bin/open "${APP_BUNDLE}"
# 5) Verify the app is alive.
sleep 1.5