Bug 43245: Use separate entitlements for signing tor

Use a separate entitlements file for signing the tor binary, with `com.apple.security.cs.allow-unsigned-executable-memory` enabled.

Bug 43245: Use separate entitlements for signing tor
c4fb2737 · boklm · morgan · 1c24b4a9 · c4fb2737 · c4fb2737
Commit c4fb2737 authored 4 months ago by boklm Committed by morgan 4 months ago
--- a/tools/signing/macos-entitlements/tor.xml
+++ b/tools/signing/macos-entitlements/tor.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the tor process executable.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- tor needs this when connecting to PoW onion-services.
+         See tor-browser#43250 and tor#40988 -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+    <!-- Allow loading third party libraries to support pkcs11 modules -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+    <key>com.apple.security.cs.allow-jit</key><true/>
+  </dict>
+</plist>
--- a/tools/signing/wrappers/sign-rcodesign-128
+++ b/tools/signing/wrappers/sign-rcodesign-128
@@ -82,6 +82,7 @@ $rcodesign sign \
  --code-signature-flags Contents/Frameworks/ChannelPrefs.framework:runtime \
  --code-signature-flags Contents/MacOS/plugin-container.app:runtime \
  --code-signature-flags Contents/MacOS/media-plugin-helper.app:runtime \
+  --entitlements-xml-path Contents/MacOS/Tor/tor:/signing/tor-browser-build/tools/signing/macos-entitlements/tor.xml \
  --entitlements-xml-path Contents/MacOS/plugin-container.app:/signing/tor-browser-build/tools/signing/macos-entitlements/plugin-container.xml \
  --entitlements-xml-path Contents/MacOS/media-plugin-helper.app:/signing/tor-browser-build/tools/signing/macos-entitlements/media-plugin-helper.xml \
  --entitlements-xml-path /signing/tor-browser-build/tools/signing/macos-entitlements/firefox.browser.xml \