No Issue - Updates to Mac packaging for notarization. Add Mac entitlements.

Switch to using "create" instead of "makehybrid" when creating the disk image.
This fixes bogus extended attributes which interfere with the code signature.
Finally add any -bin or dylibs in the Resources folder since --deep skips that folder.

2 files changed, 61 insertions, 0 deletions

diff --git a/security/mac/developer.entitlements.xml b/security/mac/developer.entitlements.xml
new file mode 100644
index 0000000000..1560ab9c62
--- /dev/null
+++ b/security/mac/developer.entitlements.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply during codesigning of developer builds. These
+     differ from the production entitlements in that they allow debugging of
+     executables and allow dyld environment variables to be used. This set of
+     entitlements is intended to be used for signing of builds used in
+     automated testing or local developer builds where debugging of a signed
+     build might be necessary. The com.apple.security.get-task-allow
+     entitlement must be set to true to allow debuggers to attach to
+     application processes but prohibits notarization with the notary service.
+     dyld environment variables are used for some tests and may be useful for
+     developers.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- UXP needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables for gtests and debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- UXP needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- UXP needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- UXP needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/production.entitlements.xml b/security/mac/production.entitlements.xml
new file mode 100644
index 0000000000..6c2d751728
--- /dev/null
+++ b/security/mac/production.entitlements.xml
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply during codesigning of production builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- UXP needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- UXP needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- UXP needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- UXP needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+  </dict>
+</plist>