chore: release 26.0.57

- Re-enable app-sandbox
- Add network.client entitlement (required for Sparkle updates)
- Keep build script passing entitlements to codesign
- Use ditto for ZIP to preserve code signatures

This is a minimal sandbox configuration focused on security while
keeping updates working.

Sparkle/appcast.xml

@@ -2,6 +2,14 @@
 <rss xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" version="2.0">
     <channel>
         <title>iKeyMon</title>
+        <item>
+            <title>26.0.57</title>
+            <pubDate>Tue, 30 Dec 2025 19:20:10 +0100</pubDate>
+            <sparkle:version>123</sparkle:version>
+            <sparkle:shortVersionString>26.0.57</sparkle:shortVersionString>
+            <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.57/iKeyMon-26.0.57.zip" length="3008341" type="application/octet-stream" sparkle:edSignature="CWtvRnfpBpHHN7X2sK/hq1HWC3NgGe9VGuUfcXOeHkLXpylVoTR+jMRG2em2I6hRsZHQmOq0U9pWs3mlx/e8CQ=="/>
+        </item>
         <item>
             <title>26.0.56</title>
             <pubDate>Tue, 30 Dec 2025 19:09:34 +0100</pubDate>
@@ -18,13 +26,5 @@
             <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
             <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.55/iKeyMon-26.0.55.zip" length="4842575" type="application/octet-stream" sparkle:edSignature="3xK6KKwXxArmlpuqIgWAQVhAKmv29PB1id/jAMIcwipeGZYcqW9oXvB48tUN6Wu5jyn2QSUjdNmduhfjdWh9CA=="/>
         </item>
-        <item>
-            <title>26.0.54</title>
-            <pubDate>Tue, 30 Dec 2025 18:52:38 +0100</pubDate>
-            <sparkle:version>117</sparkle:version>
-            <sparkle:shortVersionString>26.0.54</sparkle:shortVersionString>
-            <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
-            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.54/iKeyMon-26.0.54.zip" length="4842612" type="application/octet-stream" sparkle:edSignature="cGicDuk+QGTh91UFjBUuDyRx3Qgehuaef2G1KF4KA29kT3qev7zBUAokuZB0TODmBAd6LSw4FQnpEbhvgEF8Dw=="/>
-        </item>
     </channel>
 </rss>

iKeyMon.entitlements

@@ -2,5 +2,9 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+	<key>com.apple.security.app-sandbox</key>
+	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
 </dict>
 </plist>

iKeyMon.xcodeproj/project.pbxproj

@@ -322,7 +322,7 @@
 				CODE_SIGN_ENTITLEMENTS = iKeyMon.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 121;
+				CURRENT_PROJECT_VERSION = 123;
 				DEVELOPMENT_ASSET_PATHS = "\"Preview Content\"";
 				DEVELOPMENT_TEAM = Q5486ZVAFT;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -337,7 +337,7 @@
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MARKETING_VERSION = 26.0.56;
+				MARKETING_VERSION = 26.0.57;
 				PRODUCT_BUNDLE_IDENTIFIER = net.24unix.iKeyMon;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;
@@ -353,7 +353,7 @@
 				CODE_SIGN_ENTITLEMENTS = iKeyMon.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 121;
+				CURRENT_PROJECT_VERSION = 123;
 				DEVELOPMENT_ASSET_PATHS = "\"Preview Content\"";
 				DEVELOPMENT_TEAM = Q5486ZVAFT;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -368,7 +368,7 @@
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MARKETING_VERSION = 26.0.56;
+				MARKETING_VERSION = 26.0.57;
 				PRODUCT_BUNDLE_IDENTIFIER = net.24unix.iKeyMon;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;

scripts/build_release.sh

@@ -165,6 +165,7 @@ if [[ -n "${CODESIGN_IDENTITY:-}" ]]; then
     --force \
     --options runtime \
     --timestamp \
+    --entitlements "$ROOT_DIR/iKeyMon.entitlements" \
     --sign "$CODESIGN_IDENTITY" \
     "$APP_PATH"
 else

version.json

@@ -1,3 +1,3 @@
 {
-  "marketing_version": "26.0.56"
+  "marketing_version": "26.0.57"
 }