From e1778f4282f92fba7e0abd00081b4b20c7161641 Mon Sep 17 00:00:00 2001
From: Brant DeBow <125889545+brant-livefront@users.noreply.github.com>
Date: Tue, 31 Dec 2024 15:16:31 -0500
Subject: [PATCH] [PM-16530] [BRE-283] Changes to support hardening on the Mac
 desktop app (#12632)

* [DEVOPS-1424] Changes to support hardening on the Mac desktop app

* Remove unsigned memory exception

* Remove exceptions from the local (non-MAS) mac builds as well

---------

Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
---
 apps/desktop/electron-builder.json                            | 2 +-
 .../resources/entitlements.desktop_proxy.inherit.plist        | 2 ++
 apps/desktop/resources/entitlements.desktop_proxy.plist       | 2 ++
 apps/desktop/resources/entitlements.mac.plist                 | 4 ----
 apps/desktop/resources/entitlements.mas.inherit.plist         | 4 +---
 apps/desktop/resources/entitlements.mas.plist                 | 2 ++
 6 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/apps/desktop/electron-builder.json b/apps/desktop/electron-builder.json
index 898ad086b29..c8114d947e4 100644
--- a/apps/desktop/electron-builder.json
+++ b/apps/desktop/electron-builder.json
@@ -133,7 +133,7 @@
     "entitlements": "resources/entitlements.mas.plist",
     "entitlementsInherit": "resources/entitlements.mas.inherit.plist",
     "entitlementsLoginHelper": "resources/entitlements.mas.loginhelper.plist",
-    "hardenedRuntime": false,
+    "hardenedRuntime": true,
     "extendInfo": {
       "LSMinimumSystemVersion": "12",
       "ElectronTeamID": "LTZ2PFU5D6"
diff --git a/apps/desktop/resources/entitlements.desktop_proxy.inherit.plist b/apps/desktop/resources/entitlements.desktop_proxy.inherit.plist
index 794eada1cad..fca5f02d52d 100644
--- a/apps/desktop/resources/entitlements.desktop_proxy.inherit.plist
+++ b/apps/desktop/resources/entitlements.desktop_proxy.inherit.plist
@@ -6,5 +6,7 @@
 	<true/>
 	<key>com.apple.security.inherit</key>
 	<true/>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
 </dict>
 </plist>
diff --git a/apps/desktop/resources/entitlements.desktop_proxy.plist b/apps/desktop/resources/entitlements.desktop_proxy.plist
index d5c7b8a2cc8..1a39a482389 100644
--- a/apps/desktop/resources/entitlements.desktop_proxy.plist
+++ b/apps/desktop/resources/entitlements.desktop_proxy.plist
@@ -8,5 +8,7 @@
 	<array>
 		<string>LTZ2PFU5D6.com.bitwarden.desktop</string>
 	</array>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
 </dict>
 </plist>
diff --git a/apps/desktop/resources/entitlements.mac.plist b/apps/desktop/resources/entitlements.mac.plist
index 34c561bd03f..e273bcc7eca 100644
--- a/apps/desktop/resources/entitlements.mac.plist
+++ b/apps/desktop/resources/entitlements.mac.plist
@@ -4,10 +4,6 @@
 <dict>
 	<key>com.apple.security.cs.allow-jit</key>
 	<true/>
-	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-	<true/>
-	<key>com.apple.security.cs.disable-library-validation</key>
-	<true/>
 	<!--
 	<key>com.apple.developer.authentication-services.autofill-credential-provider</key>
 	<true/>
diff --git a/apps/desktop/resources/entitlements.mas.inherit.plist b/apps/desktop/resources/entitlements.mas.inherit.plist
index 7e1674a8f16..7e957fce7ce 100644
--- a/apps/desktop/resources/entitlements.mas.inherit.plist
+++ b/apps/desktop/resources/entitlements.mas.inherit.plist
@@ -6,9 +6,7 @@
 	<true/>
 	<key>com.apple.security.inherit</key>
 	<true/>
-	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-	<true/>
-	<key>com.apple.security.cs.disable-library-validation</key>
+	<key>com.apple.security.cs.allow-jit</key>
 	<true/>
 	<!--
 	<key>com.apple.developer.authentication-services.autofill-credential-provider</key>
diff --git a/apps/desktop/resources/entitlements.mas.plist b/apps/desktop/resources/entitlements.mas.plist
index 07cbd0efbab..0450111bebd 100644
--- a/apps/desktop/resources/entitlements.mas.plist
+++ b/apps/desktop/resources/entitlements.mas.plist
@@ -34,5 +34,7 @@
 		<string>/Library/Application Support/Microsoft Edge Canary/NativeMessagingHosts/</string>
         <string>/Library/Application Support/Vivaldi/NativeMessagingHosts/</string>
 	</array>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
 </dict>
 </plist>