chore: update app entitlements

build/azure-pipelines/darwin/app-entitlements.plist

@@ -4,12 +4,6 @@
 <dict>
     <key>com.apple.security.cs.allow-jit</key>
     <true/>
-    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
-    <true/>
-    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
-    <true/>
-    <key>com.apple.security.cs.disable-library-validation</key>
-    <true/>
     <key>com.apple.security.device.audio-input</key>
     <true/>
     <key>com.apple.security.device.camera</key>

build/azure-pipelines/darwin/helper-plugin-entitlements.plist

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>

build/darwin/sign.js

@@ -26,6 +26,7 @@ async function main() {
     const helperAppBaseName = product.nameShort;
     const gpuHelperAppName = helperAppBaseName + ' Helper (GPU).app';
     const rendererHelperAppName = helperAppBaseName + ' Helper (Renderer).app';
+    const pluginHelperAppName = helperAppBaseName + ' Helper (Plugin).app';
     const infoPlistPath = path.resolve(appRoot, appName, 'Contents', 'Info.plist');
     const defaultOpts = {
         app: path.join(appRoot, appName),
@@ -45,7 +46,8 @@ async function main() {
         // TODO(deepak1556): Incorrectly declared type in electron-osx-sign
         ignore: (filePath) => {
             return filePath.includes(gpuHelperAppName) ||
-                filePath.includes(rendererHelperAppName);
+                filePath.includes(rendererHelperAppName) ||
+                filePath.includes(pluginHelperAppName);
         }
     };
     const gpuHelperOpts = {
@@ -60,6 +62,12 @@ async function main() {
         entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'),
         'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'),
     };
+    const pluginHelperOpts = {
+        ...defaultOpts,
+        app: path.join(appFrameworkPath, pluginHelperAppName),
+        entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'),
+        'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'),
+    };
     // Only overwrite plist entries for x64 and arm64 builds,
     // universal will get its copy from the x64 build.
     if (arch !== 'universal') {
@@ -87,6 +95,7 @@ async function main() {
     }
     await codesign.signAsync(gpuHelperOpts);
     await codesign.signAsync(rendererHelperOpts);
+    await codesign.signAsync(pluginHelperOpts);
     await codesign.signAsync(appOpts);
 }
 if (require.main === module) {

build/darwin/sign.ts

@@ -29,6 +29,7 @@ async function main(): Promise<void> {
 	const helperAppBaseName = product.nameShort;
 	const gpuHelperAppName = helperAppBaseName + ' Helper (GPU).app';
 	const rendererHelperAppName = helperAppBaseName + ' Helper (Renderer).app';
+	const pluginHelperAppName = helperAppBaseName + ' Helper (Plugin).app';
 	const infoPlistPath = path.resolve(appRoot, appName, 'Contents', 'Info.plist');
 
 	const defaultOpts: codesign.SignOptions = {
@@ -50,7 +51,8 @@ async function main(): Promise<void> {
 		// TODO(deepak1556): Incorrectly declared type in electron-osx-sign
 		ignore: (filePath: string) => {
 			return filePath.includes(gpuHelperAppName) ||
-				filePath.includes(rendererHelperAppName);
+				filePath.includes(rendererHelperAppName) ||
+				filePath.includes(pluginHelperAppName);
 		}
 	};
 
@@ -68,6 +70,13 @@ async function main(): Promise<void> {
 		'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-renderer-entitlements.plist'),
 	};
 
+	const pluginHelperOpts: codesign.SignOptions = {
+		...defaultOpts,
+		app: path.join(appFrameworkPath, pluginHelperAppName),
+		entitlements: path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'),
+		'entitlements-inherit': path.join(baseDir, 'azure-pipelines', 'darwin', 'helper-plugin-entitlements.plist'),
+	};
+
 	// Only overwrite plist entries for x64 and arm64 builds,
 	// universal will get its copy from the x64 build.
 	if (arch !== 'universal') {
@@ -96,6 +105,7 @@ async function main(): Promise<void> {
 
 	await codesign.signAsync(gpuHelperOpts);
 	await codesign.signAsync(rendererHelperOpts);
+	await codesign.signAsync(pluginHelperOpts);
 	await codesign.signAsync(appOpts as any);
 }
 

src/vs/platform/extensions/electron-main/extensionHostStarter.ts

@@ -424,6 +424,7 @@ class UtilityExtensionHostProcess extends Disposable {
 		const args: string[] = ['--type=extensionHost', '--skipWorkspaceStorageLock'];
 		const execArgv: string[] = opts.execArgv || [];
 		const env: { [key: string]: any } = { ...opts.env };
+		const allowLoadingUnsignedLibraries: boolean = true;
 
 		// Make sure all values are strings, otherwise the process will not start
 		for (const key of Object.keys(env)) {
@@ -432,7 +433,7 @@ class UtilityExtensionHostProcess extends Disposable {
 
 		this._logService.info(`UtilityProcess<${this.id}>: Creating new...`);
 
-		this._process = new UtilityProcess(modulePath, args, { serviceName, env, execArgv });
+		this._process = new UtilityProcess(modulePath, args, { serviceName, env, execArgv, allowLoadingUnsignedLibraries });
 
 		const stdoutDecoder = new StringDecoder('utf-8');
 		this._process.stdout?.on('data', (chunk) => {