64-bit Macos builds:

Add the com.apple.security.cs.allow-unsigned-executable-memory entitlement,
and add the --timestamp & --options=runtime options to codesign to produce
a properyl signed, notarized timestamp & "hardened" runtime VM, needed for
10.14 and 11.x deployment.

build.macos64ARMv8/common/Makefile.app

@@ -198,8 +198,10 @@ signapp:
 else
 signapp:
 	rm -rf $(APP)/Contents/MacOS/*.cstemp
-	codesign -f --deep -s "$(SIGNING_IDENTITY)" \
-			--entitlements ../common/entitlements.plist $(APP)
+	codesign --force --deep -s "$(SIGNING_IDENTITY)" \
+			--timestamp --options=runtime \
+			--entitlements ../common/entitlements.plist \
+			$(APP)
 endif
 
 touchapp:

build.macos64ARMv8/common/entitlements.plist

@@ -6,6 +6,8 @@
 	<true/>
 	<key>com.apple.security.cs.allow-jit</key>
 	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
 <!-- Apparently this key allows an application to *be* a debugger,
 	not to be debugged
 	<key>com.apple.security.cs.debugger</key>

build.macos64x64/common/Makefile.app

@@ -198,7 +198,10 @@ signapp:
 else
 signapp:
 	rm -rf $(APP)/Contents/MacOS/*.cstemp
-	codesign -f --deep -s "$(SIGNING_IDENTITY)" $(APP)
+	codesign --force --deep -s "$(SIGNING_IDENTITY)" \
+			--timestamp --options=runtime \
+			--entitlements ../common/entitlements.plist \
+			$(APP)
 endif
 
 touchapp:

build.macos64x64/common/entitlements.plist

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.get-task-allow</key>
+	<true/>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+<!-- Apparently this key allows an application to *be* a debugger,
+	not to be debugged
+	<key>com.apple.security.cs.debugger</key>
+	<true/>
+-->
+</dict>
+</plist>