desktop-ui: add entitlement to allow JIT as a signed application on mac

Also disable library validation to allow MoltenVK to load. It seems
this is required even if the library is signed. This requires more
investigation.

desktop-ui/GNUmakefile

@@ -92,7 +92,7 @@ endif
 	cp -R $(ares.path)/Shaders $(output.path)/$(name).app/Contents/Resources/
 	cp -R $(mia.path)/Database $(output.path)/$(name).app/Contents/Resources/	
 	sips -s format icns resource/$(name).png --out $(output.path)/$(name).app/Contents/Resources/$(name).icns
-	codesign --force --deep --sign - $(output.path)/$(name).app
+	codesign --force --deep --options runtime --entitlements resource/$(name).selfsigned.entitlements --sign - $(output.path)/$(name).app
 else ifeq ($(platform),windows)
 	$(call mkdir,$(output.path)/Shaders/)
 	$(call mkdir,$(output.path)/Database/)

desktop-ui/resource/ares.entitlements

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+</dict>
+</plist>

desktop-ui/resource/ares.selfsigned.entitlements

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>

scripts/macos-make-universal.sh

@@ -26,4 +26,12 @@ cp -a desktop-ui/out-amd64 desktop-ui/out
 lipo -create -output desktop-ui/out/ares.app/Contents/MacOS/ares \
     desktop-ui/out-amd64/ares.app/Contents/MacOS/ares \
     desktop-ui/out-arm64/ares.app/Contents/MacOS/ares
-codesign --force --deep --sign - desktop-ui/out/ares.app
+
+if [ "${CERTIFICATE_NAME:-}" == "" ]; then
+    echo "Signing using self-signed"
+    ENTITLEMENTS=desktop-ui/resource/ares.selfsigned.entitlements
+else
+    echo "Signing using certificate: ${CERTIFICATE_NAME}"
+    ENTITLEMENTS=desktop-ui/resource/ares.entitlements
+fi
+codesign --force --deep --options runtime --entitlements "${ENTITLEMENTS}" --sign "${CERTIFICATE_NAME:--}" desktop-ui/out/ares.app