From bb4f972d58e1684258d5e069cb31c453d0e3f1f6 Mon Sep 17 00:00:00 2001
From: Micha <espey@smart-q.de>
Date: Tue, 30 Dec 2025 19:14:40 +0100
Subject: [PATCH] feat: re-enable sandbox with minimal entitlements

- Re-enable app-sandbox
- Add network.client entitlement (required for Sparkle updates)
- Keep build script passing entitlements to codesign
- Use ditto for ZIP to preserve code signatures

This is a minimal sandbox configuration focused on security while
keeping updates working.
---
 iKeyMon.entitlements     | 4 ++++
 scripts/build_release.sh | 1 +
 2 files changed, 5 insertions(+)

diff --git a/iKeyMon.entitlements b/iKeyMon.entitlements
index 6631ffa..ee95ab7 100644
--- a/iKeyMon.entitlements
+++ b/iKeyMon.entitlements
@@ -2,5 +2,9 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
 </dict>
 </plist>
diff --git a/scripts/build_release.sh b/scripts/build_release.sh
index b43a594..1418557 100755
--- a/scripts/build_release.sh
+++ b/scripts/build_release.sh
@@ -165,6 +165,7 @@ if [[ -n "${CODESIGN_IDENTITY:-}" ]]; then
     --force \
     --options runtime \
     --timestamp \
+    --entitlements "$ROOT_DIR/iKeyMon.entitlements" \
     --sign "$CODESIGN_IDENTITY" \
     "$APP_PATH"
 else