From a2573936a6f2975064cdafd9cbb86e1e729078e9 Mon Sep 17 00:00:00 2001
From: Hien To <tominhhien97@gmail.com>
Date: Mon, 9 Dec 2024 15:04:13 +0700
Subject: [PATCH] feat: add codesign for macos

---
 .github/workflows/python-package.yml | 51 +++++++++++++++++++++++++---
 1 file changed, 46 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
index 5149fdc98..04f6bb299 100644
--- a/.github/workflows/python-package.yml
+++ b/.github/workflows/python-package.yml
@@ -43,7 +43,7 @@ jobs:
             runs-on: "macos-selfhosted-12"
           - os: "mac"
             name: "arm64"
-            runs-on: "macos-13-arm"
+            runs-on: "macos-silicon"
           # - os: "windows"
           #   name: "amd64"
           #   runs-on: "windows-cuda-12-0"
@@ -148,13 +148,54 @@ jobs:
             echo "PYTHON_FOLDER=$PYTHON_FOLDER" >> $GITHUB_ENV
             echo "github end PYTHON_FOLDER: ${{env.PYTHON_FOLDER}}"
 
+      - name: create plist file
+        if: runner.os == 'macOS'
+        run: |
+          cat << EOF > /tmp/entitlements.plist
+          <?xml version="1.0" encoding="UTF-8"?>
+          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+          <plist version="1.0">
+          <dict>
+              <!-- These are required for binaries built by PyInstaller -->
+              <key>com.apple.security.cs.allow-jit</key>
+              <true/>
+              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+              <true/>
+
+              <!-- Add these for additional permissions -->
+              <key>com.apple.security.app-sandbox</key>
+              <false/>
+              <key>com.apple.security.network.client</key>
+              <true/>
+              <key>com.apple.security.network.server</key>
+              <true/>
+              <key>com.apple.security.device.audio-input</key>
+              <true/>
+              <key>com.apple.security.device.microphone</key>
+              <true/>
+              <key>com.apple.security.device.camera</key>
+              <true/>
+              <key>com.apple.security.files.user-selected.read-write</key>
+              <true/>
+              <key>com.apple.security.cs.disable-library-validation</key>
+              <true/>
+              <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+              <true/>
+              <key>com.apple.security.cs.allow-executable-memory</key>
+              <true/>
+          </dict>
+          </plist>
+          EOF
+
       - name: Notary macOS Binary
         if: runner.os == 'macOS'
         run: |
-          codesign --force --entitlements="./engine/templates/macos/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python
-          codesign --force --entitlements="./engine/templates/macos/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python3
-          curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sh -s -- -b /usr/local/bin
-          cd engine/cortex
+          codesign --force --entitlements="/tmp/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python
+          codesign --force --entitlements="/tmp/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime ${{env.PYTHON_FOLDER}}/bin/python3
+          # Code sign all .so files and .dylib files
+          find ${{env.PYTHON_FOLDER}} -type f \( -name "*.so" -o -name "*.dylib" \) -exec codesign --force --entitlements="/tmp/entitlements.plist" -s "${{ secrets.DEVELOPER_ID }}" --options=runtime {} \;
+
+          curl -sSfL https://raw.githubusercontent.com/anchore/quill/main/install.sh | sudo sh -s -- -b /usr/local/bin
           # Notarize the binary
           quill notarize ${{env.PYTHON_FOLDER}}/bin/python
           quill notarize ${{env.PYTHON_FOLDER}}/bin/python3