chore(entitlements): Remove unnecessary sandbox entitlements

epilande · epilande · commit 1c90901d6335 · 2025-11-03T10:36:18.000-08:00
Use $(PRODUCT_BUNDLE_IDENTIFIER) variable for Sparkle service names

Remove 6 redundant/unused entitlements from sandbox configuration:
- files.user-selected. read-only (no file operations in app)
- cs.allow-jit, cs.allow-unsigned-executable-memory,
  cs. disable-executable-page-protection, cs.disable-library-validation
  (redundant - false is default behavior)
- network.client (Sparkle uses Downloader XPC service instead)
  Reduces entitlements from 8 to 2, keeping only:
- app-sandbox (required for App Store)
- mach-lookup exceptions (required for Sparkle XPC services)
diff --git a/Annotate/Annotate.entitlements b/Annotate/Annotate.entitlements
@@ -4,22 +4,10 @@
 <dict>
 	<key>com.apple.security.app-sandbox</key>
 	<true/>
-	<key>com.apple.security.files.user-selected.read-only</key>
-	<true/>
-	<key>com.apple.security.cs.allow-jit</key>
-	<false/>
-	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-	<false/>
-	<key>com.apple.security.cs.disable-executable-page-protection</key>
-	<false/>
-	<key>com.apple.security.cs.disable-library-validation</key>
-	<false/>
-	<key>com.apple.security.network.client</key>
-	<true/>
 	<key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
 	<array>
-		<string>com.epilande.Annotate-spks</string>
-		<string>com.epilande.Annotate-spki</string>
+		<string>$(PRODUCT_BUNDLE_IDENTIFIER)-spks</string>
+		<string>$(PRODUCT_BUNDLE_IDENTIFIER)-spki</string>
 	</array>
 </dict>
 </plist>
