Skip to content

Add make target to sign with ad-hoc signature with correct entitlements #1586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 23, 2025
Merged

Add make target to sign with ad-hoc signature with correct entitlements #1586

merged 1 commit into from
Jul 23, 2025

Conversation

ychin
Copy link
Member

@ychin ychin commented Jul 23, 2025

By default, building MacVim locally will sign with an ad-hoc signature with no entitlements. Release builds are then signed with the macvim-signed target which signs MacVim with a valid signature and embed the entitlments. This new target allows us to sign MacVim to have similar entitlements and behaviors as a release build without needing an Apple Developer signature.

There are currently two possible use cases for this:

  1. Package managers like Homebrew can use this to build MacVim to get the correct hardened runtime entitlements.
  2. Reproducible builds (Epic: Support reproducible builds #1506) can use this to generate a reproducible artifact. Proper release builds are not reproducible since there's no way for a proper digital signature to be reproduced, but we can strip and re-sign with an ad-hoc signature reproducibly using this target for a decent compromise.

Related: #1585

@ychin ychin added this to the Release 182 milestone Jul 23, 2025
@ychin ychin added the Non User Facing Non-user facing change. These issues do no need to show up in release notes. label Jul 23, 2025
@ychin
Add make target to sign with ad-hoc signature with correct entitlements
601f23a 
By default, building MacVim locally will sign with an ad-hoc signature with no
entitlements. Release builds are then signed with the `macvim-signed`
target which signs MacVim with a valid signature and embed the
entitlments. This new target allows us to sign MacVim to have similar
entitlements and behaviors as a release build without needing an Apple
Developer signature.

There are currently two possible use cases for this:
1. Package managers like Homebrew can use this to build MacVim to get
   the correct hardened runtime entitlements.
2. Reproducible builds (macvim-dev#1506) can use this to generate a reproducible
   artifact. Proper release builds are not reproducible since there's no
   way for a proper digital signature to be reproduced, but we can strip
   and re-sign with an ad-hoc signature reproducibly using this target
   for a decent compromise.

Related: macvim-dev#1585
@ychin ychin force-pushed the make-macvim-signed-adhoc branch from ae95916 to 601f23a Compare July 23, 2025 01:26
@ychin ychin mentioned this pull request Jul 23, 2025
Open
9 tasks
@ychin ychin merged commit 07e1b2e into macvim-dev:master Jul 23, 2025
2 of 5 checks passed
@ychin ychin deleted the make-macvim-signed-adhoc branch July 23, 2025 01:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Non User Facing Non-user facing change. These issues do no need to show up in release notes.
Projects
None yet
Milestone
Release 182
Development

Successfully merging this pull request may close these issues.
1 participant
@ychin