bhhaskin/codesign-ytmdesktop.sh

## codesign-ytmdesktop.sh
#!/usr/bin/env bash
set -euo pipefail

usage() {
  cat <<EOF
Usage: $(basename "$0") [options] [app-path]

Ad-hoc codesign a macOS Electron app with JIT entitlements.

Arguments:
  app-path    Path to the .app bundle (default: /Applications/YouTube Music Desktop App.app)

Options:
  -h, --help  Show this help message
EOF
  exit 0
}

[[ "${1:-}" == "-h" || "${1:-}" == "--help" ]] && usage

DEFAULT_APP="/Applications/YouTube Music Desktop App.app"
APP="${1:-$DEFAULT_APP}"
ENTS="$(mktemp /tmp/electron-jit.entitlements.XXXXXX.plist)"
trap 'rm -f "$ENTS"' EXIT

cat > "$ENTS" <<'PLIST'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.security.cs.allow-jit</key>
  <true/>
  <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
  <true/>
  <key>com.apple.security.cs.disable-library-validation</key>
  <true/>
</dict>
</plist>
PLIST

if [[ ! -d "$APP" ]]; then
  echo "Error: App bundle not found: $APP" >&2
  exit 1
fi

echo "Signing: $APP"

# (a) Remove quarantine if downloaded
xattr -r -d com.apple.quarantine "$APP" 2>/dev/null || true

# (b) Sign all nested Mach-O files (frameworks, dylibs, helpers) first
#     We apply --options=runtime and the entitlements everywhere to keep AMFI happy.
while IFS= read -r -d '' f; do
  if file -b "$f" | grep -qE 'Mach-O.*(executable|dynamically linked shared library)'; then
    echo "  Signing binary: $f"
    codesign --force --sign - --timestamp=none \
      --options=runtime \
      --entitlements "$ENTS" \
      "$f"
  fi
done < <(find "$APP/Contents" -type f -print0)

# (c) Sign helper app bundles (wrappers)
while IFS= read -r -d '' helper; do
  echo "  Signing helper app: $helper"
  codesign --force --deep --sign - --timestamp=none \
    --options=runtime \
    --entitlements "$ENTS" \
    "$helper"
done < <(find "$APP/Contents/Frameworks" -type d -name "*.app" -maxdepth 1 -print0)

# (d) Sign top-level Frameworks that are bundles (Electron Framework, etc.)
while IFS= read -r -d '' fw; do
  echo "  Signing framework: $fw"
  codesign --force --deep --sign - --timestamp=none \
    --options=runtime \
    --entitlements "$ENTS" \
    "$fw"
done < <(find "$APP/Contents/Frameworks" -type d -name "*.framework" -maxdepth 1 -print0)

# (e) Finally, sign the main app bundle
codesign --force --deep --sign - --timestamp=none \
  --options=runtime \
  --entitlements "$ENTS" \
  "$APP"

# (f) Verify (deep + strict)
echo "Verifying..."
codesign --verify --deep --strict --verbose=4 "$APP"
spctl --assess --type execute --verbose=4 "$APP" 2>&1 || echo "  (spctl rejection is expected for ad-hoc signed apps — Gatekeeper requires a Developer ID)"

echo "Done."
	#!/usr/bin/env bash
	set -euo pipefail

	usage() {
	cat <<EOF
	Usage: $(basename "$0") [options] [app-path]

	Ad-hoc codesign a macOS Electron app with JIT entitlements.

	Arguments:
	app-path Path to the .app bundle (default: /Applications/YouTube Music Desktop App.app)

	Options:
	-h, --help Show this help message
	EOF
	exit 0
	}

	[[ "${1:-}" == "-h" \|\| "${1:-}" == "--help" ]] && usage

	DEFAULT_APP="/Applications/YouTube Music Desktop App.app"
	APP="${1:-$DEFAULT_APP}"
	ENTS="$(mktemp /tmp/electron-jit.entitlements.XXXXXX.plist)"
	trap 'rm -f "$ENTS"' EXIT

	cat > "$ENTS" <<'PLIST'
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>com.apple.security.cs.allow-jit</key>
	<true/>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
	</dict>
	</plist>
	PLIST

	if [[ ! -d "$APP" ]]; then
	echo "Error: App bundle not found: $APP" >&2
	exit 1
	fi

	echo "Signing: $APP"

	# (a) Remove quarantine if downloaded
	xattr -r -d com.apple.quarantine "$APP" 2>/dev/null \|\| true

	# (b) Sign all nested Mach-O files (frameworks, dylibs, helpers) first
	# We apply --options=runtime and the entitlements everywhere to keep AMFI happy.
	while IFS= read -r -d '' f; do
	if file -b "$f" \| grep -qE 'Mach-O.*(executable\|dynamically linked shared library)'; then
	echo " Signing binary: $f"
	codesign --force --sign - --timestamp=none \
	--options=runtime \
	--entitlements "$ENTS" \
	"$f"
	fi
	done < <(find "$APP/Contents" -type f -print0)

	# (c) Sign helper app bundles (wrappers)
	while IFS= read -r -d '' helper; do
	echo " Signing helper app: $helper"
	codesign --force --deep --sign - --timestamp=none \
	--options=runtime \
	--entitlements "$ENTS" \
	"$helper"
	done < <(find "$APP/Contents/Frameworks" -type d -name "*.app" -maxdepth 1 -print0)

	# (d) Sign top-level Frameworks that are bundles (Electron Framework, etc.)
	while IFS= read -r -d '' fw; do
	echo " Signing framework: $fw"
	codesign --force --deep --sign - --timestamp=none \
	--options=runtime \
	--entitlements "$ENTS" \
	"$fw"
	done < <(find "$APP/Contents/Frameworks" -type d -name "*.framework" -maxdepth 1 -print0)

	# (e) Finally, sign the main app bundle
	codesign --force --deep --sign - --timestamp=none \
	--options=runtime \
	--entitlements "$ENTS" \
	"$APP"

	# (f) Verify (deep + strict)
	echo "Verifying..."
	codesign --verify --deep --strict --verbose=4 "$APP"
	spctl --assess --type execute --verbose=4 "$APP" 2>&1 \|\| echo " (spctl rejection is expected for ad-hoc signed apps — Gatekeeper requires a Developer ID)"

	echo "Done."
No results found