An example Entitlements.plist file to allow a desktop app to run a Java Runtime Environment on a signed .app

Entitlements.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
</dict>
</plist>

once your app bundle is ready, you need to copy this file inside of it, sign it, and then remove the Entitlements.plist file.

Here's a script I use:

#!/bin/bash
# DO NOT RUN THIS SCRIPT MANUALLY OR IT WILL REMOVE Entitlements.plist
# IT IS MEANT TO BE RAN FROM INSIDE THE .app to be signed since it copies
# the Entitlements.plist file to it and then deletes it after it signs the .app
function signFrostWireApp() {
    cp ../Entitlements.plist .
    local TEAM_ID="KET68JTS3L"
    local app=`pwd`/FrostWire.app
    # jre folder doesn't need an Info.plist, avoid sealed resources bullshit
    rm ${app}/Contents/PlugIns/jre/Contents/Info.plist
    cd ${app}
    # make sure no .DS_... or dot files are included, this can screw the signing process
    dot_clean -vnm ${app}
    cd ..
    codesign --verbose=4 -s ${TEAM_ID} --options=runtime --entitlements Entitlements.plist --deep --force ${app}
    rm -f Entitlements.plist
    echo "Done with signing"
}

signFrostWireApp

It's called from another script which CDs into our target app and executes signFrostWireApp.sh relative from that path:

#Move FrostWire.app Inside FW_DMG_SOURCE_FOLDER
cp -rp FrostWire.app ${FW_DMG_SOURCE_FOLDER}

cd ${FW_DMG_SOURCE_FOLDER}

# Sign
../signFrostWireApp.sh

# Notarize (creates a temporary FrostWire.app.zip)
../notarizeMacOSApp.sh FrostWire.app

cd ..