feat: state of the art macOS code signing with entitlements

[Copilot]

Upgrades macOS ad-hoc codesigning to include JIT entitlements and signature verification, as recommended by the Bun docs. Without proper entitlements, Gatekeeper can reject the binary or JIT execution silently fails.

Changes

• entitlements.plist (new) — JIT and memory-safety entitlements required by Bun executables:

  • cs.allow-jit, cs.allow-unsigned-executable-memory, cs.disable-executable-page-protection, cs.allow-dyld-environment-variables, cs.disable-library-validation

• build.ts — improved codesign invocation:

  • Added --deep for full binary signing
  • Added --entitlements pointing to entitlements.plist (resolved via import.meta.dir for CWD-independence)
  • Added post-sign --verify --verbose step to fail fast on invalid signatures

- Bun.spawn(["codesign", "--force", "--sign", "-", outfile])
+ Bun.spawn([
+   "codesign", "--deep", "--force", "--sign", "-",
+   "--entitlements", `${import.meta.dir}/entitlements.plist`,
+   outfile,
+ ])
// followed by: codesign --verify --verbose outfile

How did you verify your code works?

Signing runs only on darwin hosts in CI (macos-latest runners in cd.yaml) — the updated command will be exercised on the next tagged release build.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• bun.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Feat: state of the art signing for macOS</issue_title>
<issue_description>See https://bun.com/docs/bundler/executables#code-signing-on-macos</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Feat: state of the art signing for macOS #10

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[github-actions]

Coverage after merging copilot/feat-state-of-the-art-signing into main will be

97.85%

Coverage Report

File	Stmts	Branches	Funcs	Lines	Uncovered Lines
src
aggregate.ts	100%	100%	100%	100%
api-utils.ts	97.50%	100%	100%	97.18%	52, 60
api.ts	93.43%	100%	100%	92.51%	235–239, 295, 312, 63–69
cache.ts	98.08%	100%	100%	97.87%	28
group.ts	100%	100%	100%	100%
output.ts	99.12%	100%	94.74%	99.52%	58
render.ts	97.20%	100%	100%	97.14%	142–145
upgrade.ts	98%	100%	100%	97.75%	113, 117
src/render
filter.ts	100%	100%	100%	100%
highlight.ts	99.29%	100%	100%	99.01%	184–185
rows.ts	100%	100%	100%	100%
selection.ts	100%	100%	100%	100%
summary.ts	100%	100%	100%	100%

[Copilot]

Pull request overview

This PR enhances macOS code signing for Bun executables by adding JIT entitlements and signature verification, addressing Gatekeeper and runtime requirements. The changes follow the Bun documentation's recommendations for executable code signing.

Changes:

• Adds entitlements.plist with five JIT-related security entitlements required by Bun's runtime
• Updates build.ts to pass entitlements to codesign via --entitlements flag and adds --deep flag for recursive signing
• Adds post-signing verification step with codesign --verify --verbose to catch signing failures early

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
entitlements.plist	New plist file defining JIT and memory-related entitlements required for Bun executables on macOS
build.ts	Enhanced codesign command with entitlements, deep signing, and post-sign verification step

[github-actions]

Coverage after merging copilot/feat-state-of-the-art-signing into main will be

97.85%

Coverage Report

File	Stmts	Branches	Funcs	Lines	Uncovered Lines
src
aggregate.ts	100%	100%	100%	100%
api-utils.ts	97.50%	100%	100%	97.18%	52, 60
api.ts	93.43%	100%	100%	92.51%	235–239, 295, 312, 63–69
cache.ts	98.08%	100%	100%	97.87%	28
group.ts	100%	100%	100%	100%
output.ts	99.12%	100%	94.74%	99.52%	58
render.ts	97.20%	100%	100%	97.14%	142–145
upgrade.ts	98%	100%	100%	97.75%	113, 117
src/render
filter.ts	100%	100%	100%	100%
highlight.ts	99.29%	100%	100%	99.01%	184–185
rows.ts	100%	100%	100%	100%
selection.ts	100%	100%	100%	100%
summary.ts	100%	100%	100%	100%

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[Copilot]

The --deep flag is intended for signing nested code in bundles (like .app bundles with frameworks). For a single standalone executable binary, this flag is unnecessary and may cause issues in some scenarios. Consider removing --deep unless there's a specific reason to sign nested components.

Suggested change

"--deep",