Skip to content

Commit 8510e56

Browse files
committed
fix: add Metal JIT entitlements for hardened runtime code signing
Hardened Runtime blocks Metal shader JIT compilation without explicit entitlements. Adds allow-jit, allow-unsigned-executable-memory, and disable-library-validation to enable Metal compute pipeline creation. Made-with: Cursor
1 parent f57a573 commit 8510e56

2 files changed

Lines changed: 13 additions & 0 deletions

File tree

.github/entitlements.plist

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
3+
<plist version="1.0">
4+
<dict>
5+
<key>com.apple.security.cs.allow-jit</key>
6+
<true/>
7+
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
8+
<true/>
9+
<key>com.apple.security.cs.disable-library-validation</key>
10+
<true/>
11+
</dict>
12+
</plist>

.github/workflows/build-turboquant-macos.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -114,6 +114,7 @@ jobs:
114114
if [ -f "$bin" ]; then
115115
echo "Signing $bin ..."
116116
codesign --force --options runtime --timestamp \
117+
--entitlements .github/entitlements.plist \
117118
--sign "$CODESIGN_IDENTITY" "$bin"
118119
codesign --verify --verbose "$bin"
119120
fi

0 commit comments

Comments
 (0)