Entitlements for signed and notarized apps

To allow some features of LiveCode to work correctly in signed and notarized apps you need to include the relevant entitlements in an entitlements file. The permissions are then incorporated into the code signature when you build the app.

The entitlement keys are documented here.

Create an entitlements file

Create a new "entitlements.plist" file in the same folder as the app bundle is stored and add any entitlements your app requires.

This example adds the entitlement required for AppleScript to run.

<dict>
	<key>com.apple.security.automation.apple-events</key>
	<true/>
</dict>
Click to copy

Include the entitlements file when you sign your app

sudo codesign --verbose --deep --force --sign "<your_certificate_here>" --options runtime --entitlements <path_to_entitlements.plist_file> <path_to_standalone_app_bundle>
Click to copy

The LiveCode entitlements

The "entitlements.plist" file that we use when we sign LiveCode builds is the following:

<dict>
 	<key>com.apple.security.cs.allow-jit</key>
 	<true/>
 	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
 	<true/>
 	<key>com.apple.security.cs.allow-dyld-environment-variables</key>
 	<true/>
 	<key>com.apple.security.cs.disable-library-validation</key>
 	<true/>
 	<key>com.apple.security.cs.disable-executable-page-protection</key>
 	<true/>
 	<key>com.apple.security.device.audio-input</key>
 	<true/>
 	<key>com.apple.security.device.camera</key>
 	<true/>
 	<key>com.apple.security.personal-information.location</key>
 	<true/>
 	<key>com.apple.security.personal-information.addressbook</key>
 	<true/>
 	<key>com.apple.security.personal-information.photos-library</key>
 	<true/>
 	<key>com.apple.security.automation.apple-events</key>
 	<true/>
 </dict> 
Click to copy

An option is to sign your app using all the entitlements that LiveCode uses. This will ensure that no features will break because the proper entitlement was not used.

2 Comments

jeff k

I copied/pasted the example "entitlements.plist" into a word processor, substituted returns for tabs, stripped out all errant spaces, and saved this as a plain-text file.
Including this file when code-signing my app, I received the following error message in Terminal:
"Failed to parse entitlements : AMFIUnserializeXML: syntax error near line 1"
In the Apple developer forums I found the suggestion to run the following command line first to ensure that the file was formatted properly:
sudo plutil -convert xml1 "path_to_entitlements_file"
When I ran this and then tried again to code-sign the app, all went well without error.
So do you recommend employing this check of "entitlements.plist" routinely before code-signing?
Thanks.

Matthias Rebbe

I always use all entitlements as the lesson recommends. I've stored that file in the My Livecode folder under resources/entitlements. So if you have now a working file there should be no need to check it again. And if you need to do changes to that file, make a copy and use an editor instead of a word processor app. My sample file can be found here
https://dl.qck.nu/?dl=entitlement.plist.zip

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.