Fix macOS release signing for System Integrity Protection#279
Open
zxhwfe wants to merge 1 commit into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to address macOS release code-signing constraints (notably around SIP/hardened runtime expectations) by adding a release signing script, adjusting release entitlements, and updating CI packaging. It also includes a broad Flutter dependency/tooling refresh that updates generated plugin registrants across desktop platforms.
Changes:
- Add a macOS release
codesignscript and invoke it in the GitHub Actions macOS build, zipping the.appfor artifact upload. - Update macOS Release entitlements to include hardened-runtime-related code-signing entitlements.
- Refresh lockfiles and generated desktop plugin registrants (notably screen_retriever platform split and additional FFI plugin entries).
Reviewed changes
Copilot reviewed 8 out of 11 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/main.yml |
Runs macOS release build, codesigns, zips the .app, and uploads as an artifact. |
.gitignore |
Ignores .tooling/ and normalizes .vscode/ ignore entry. |
linux/flutter/generated_plugin_registrant.cc |
Updates Linux plugin registration (screen_retriever platform package; removes sqlite3_flutter_libs registration). |
linux/flutter/generated_plugins.cmake |
Updates Linux plugin lists (screen_retriever platform package; adds jni to FFI list). |
macos/Flutter/GeneratedPluginRegistrant.swift |
Updates macOS plugin registration (screen_retriever_macos; removes sqlite3_flutter_libs registration). |
macos/Podfile.lock |
Updates CocoaPods lockfile to reflect updated plugin set/versions. |
macos/Runner/Release.entitlements |
Adds hardened-runtime-related entitlements and cleans up duplicate entries. |
macos/scripts/codesign_release.sh |
Introduces a release codesigning script for the built .app. |
pubspec.lock |
Updates dependency lockfile and SDK minimums (Dart/Flutter). |
windows/flutter/generated_plugin_registrant.cc |
Updates Windows plugin registration (screen_retriever platform package; removes sqlite3_flutter_libs registration). |
windows/flutter/generated_plugins.cmake |
Updates Windows plugin lists (screen_retriever platform package; adds jni to FFI list; removes sqlite3_flutter_libs). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+17
to
+22
| sign_bundle() { | ||
| item="$1" | ||
| if [ -e "$item" ] && [ ! -L "$item" ]; then | ||
| codesign --force --options runtime --timestamp=none --sign - "$item" | ||
| fi | ||
| } |
Comment on lines
+32
to
+38
| codesign \ | ||
| --force \ | ||
| --options runtime \ | ||
| --timestamp=none \ | ||
| --entitlements "$ENTITLEMENTS_PATH" \ | ||
| --sign - \ | ||
| "$APP_PATH" |
Comment on lines
+13
to
+18
| <key>com.apple.security.cs.allow-jit</key> | ||
| <true/> | ||
| <key>com.apple.security.cs.allow-unsigned-executable-memory</key> | ||
| <true/> | ||
| <key>com.apple.security.cs.disable-library-validation</key> | ||
| <true/> |
Author
|
For the signing comments: `codesign --options runtime --sign -` does not
fail in our current CI/local build flow. The generated app was verified
locally and the resulting signature contains both `adhoc` and `runtime`
flags.
That said, this script is intended to produce a self-contained CI artifact
that can run correctly with SIP enabled, not a notarized Developer ID
distribution build. I agree that making the signing identity configurable
would make the script more useful for proper release signing, so we can
adjust the script to allow `CODESIGN_IDENTITY` to be provided externally.
For the entitlement comment: agreed. These entitlements weaken hardened
runtime restrictions and should be documented. They are included because
this app uses Flutter/Dart FFI and native plugin frameworks, including
`flutter_qjs`, which require relaxed runtime behavior in release builds.
I’ll add an inline note so future maintainers understand why these are
present and can revisit them if the native dependencies change.
Copilot ***@***.***> 于2026年7月11日周六 15:42写道:
… ***@***.**** commented on this pull request.
Pull request overview
This PR aims to address macOS release code-signing constraints (notably
around SIP/hardened runtime expectations) by adding a release signing
script, adjusting release entitlements, and updating CI packaging. It also
includes a broad Flutter dependency/tooling refresh that updates generated
plugin registrants across desktop platforms.
*Changes:*
- Add a macOS release codesign script and invoke it in the GitHub
Actions macOS build, zipping the .app for artifact upload.
- Update macOS Release entitlements to include
hardened-runtime-related code-signing entitlements.
- Refresh lockfiles and generated desktop plugin registrants (notably
screen_retriever platform split and additional FFI plugin entries).
Reviewed changes
Copilot reviewed 8 out of 11 changed files in this pull request and
generated 3 comments.
Show a summary per file
File Description
.github/workflows/main.yml Runs macOS release build, codesigns, zips the
.app, and uploads as an artifact.
.gitignore Ignores .tooling/ and normalizes .vscode/ ignore entry.
linux/flutter/generated_plugin_registrant.cc Updates Linux plugin
registration (screen_retriever platform package; removes
sqlite3_flutter_libs registration).
linux/flutter/generated_plugins.cmake Updates Linux plugin lists
(screen_retriever platform package; adds jni to FFI list).
macos/Flutter/GeneratedPluginRegistrant.swift Updates macOS plugin
registration (screen_retriever_macos; removes sqlite3_flutter_libs
registration).
macos/Podfile.lock Updates CocoaPods lockfile to reflect updated plugin
set/versions.
macos/Runner/Release.entitlements Adds hardened-runtime-related
entitlements and cleans up duplicate entries.
macos/scripts/codesign_release.sh Introduces a release codesigning script
for the built .app.
pubspec.lock Updates dependency lockfile and SDK minimums (Dart/Flutter).
windows/flutter/generated_plugin_registrant.cc Updates Windows plugin
registration (screen_retriever platform package; removes
sqlite3_flutter_libs registration).
windows/flutter/generated_plugins.cmake Updates Windows plugin lists
(screen_retriever platform package; adds jni to FFI list; removes
sqlite3_flutter_libs).
------------------------------
💡 Add Copilot custom instructions
<http:///Pacalini/PicaComic/new/master?filename=.github/instructions/*.instructions.md>
for smarter, more guided reviews. Learn how to get started
<https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot>
.
------------------------------
In macos/scripts/codesign_release.sh
<#279 (comment)>:
> +sign_bundle() {
+ item="$1"
+ if [ -e "$item" ] && [ ! -L "$item" ]; then
+ codesign --force --options runtime --timestamp=none --sign - "$item"
+ fi
+}
codesign --options runtime is being used with an ad-hoc signature (--sign
-). Hardened Runtime signing requires a real signing identity; as written
this is likely to fail during signing, and even if it succeeds it won’t
produce a valid hardened-runtime signature for SIP-related entitlements.
------------------------------
In macos/scripts/codesign_release.sh
<#279 (comment)>:
> +codesign \
+ --force \
+ --options runtime \
+ --timestamp=none \
+ --entitlements "$ENTITLEMENTS_PATH" \
+ --sign - \
+ "$APP_PATH"
The app bundle signing also uses --options runtime while hardcoding
ad-hoc signing (--sign -). This will fail on macOS and prevents producing
a valid hardened-runtime signature with entitlements. Make the identity
configurable and only enable Hardened Runtime when using a real identity.
------------------------------
In macos/Runner/Release.entitlements
<#279 (comment)>:
> + <key>com.apple.security.cs.allow-jit</key>
+ <true/>
+ <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+ <true/>
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
These code-signing entitlements (allow-jit,
allow-unsigned-executable-memory, disable-library-validation)
significantly weaken hardened runtime protections. Please add an inline
note explaining which dependency/feature requires them (and why they must
be enabled in Release) so future changes don’t accidentally keep or expand
them unnecessarily.
—
Reply to this email directly, view it on GitHub
<#279?email_source=notifications&email_token=A5J2675FHEXXIE7PQSHZQUT5EHVU5A5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTINRXG4YDCOBVGU2KM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#pullrequestreview-4677018554>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/A5J2673WINIJNLTAVNBHEWL5EHVU5AVCNFSNUABFKJSXA33TNF2G64TZHM4DMMZSGMZTIOBTHNEXG43VMU5TIOBWGEYTSMJSG4Y2C5QC>
.
Triage notifications, keep track of coding agent tasks and review pull
requests on the go with GitHub Mobile for iOS
<https://github.com/notifications/mobile/ios/A5J26747OET6H4CHUOW5OGT5EHVU5A5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTINRXG4YDCOBVGU2KM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2KUZTPN52GK4S7NFXXG>
and Android
<https://github.com/notifications/mobile/android/A5J267ZMI2EJNSXJCTMLRD35EHVU5A5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTINRXG4YDCOBVGU2KM4TFMFZW63VGMF2XI2DPOKSWK5TFNZ2K4ZTPN52GK4S7MFXGI4TPNFSA>.
Download it today!
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.