From 983faf53759c6cb11f59f0d7d30c9b1796bc94f6 Mon Sep 17 00:00:00 2001 From: Nikhil Sonti Date: Sun, 26 Apr 2026 13:23:16 -0700 Subject: [PATCH 1/2] fix: sign limactl with VZ entitlement --- packages/browseros/build/common/server_binaries.py | 2 +- .../browseros/build/common/server_binaries_test.py | 11 +++++++++++ .../resources/entitlements/lima-vz-entitlements.plist | 8 ++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) create mode 100644 packages/browseros/resources/entitlements/lima-vz-entitlements.plist diff --git a/packages/browseros/build/common/server_binaries.py b/packages/browseros/build/common/server_binaries.py index 20a6ca879..e15db3b54 100644 --- a/packages/browseros/build/common/server_binaries.py +++ b/packages/browseros/build/common/server_binaries.py @@ -30,7 +30,7 @@ class SignSpec: ), "bun": SignSpec("bun", "runtime", "browseros-executable-entitlements.plist"), "rg": SignSpec("rg", "runtime"), - "limactl": SignSpec("limactl", "runtime"), + "limactl": SignSpec("limactl", "runtime", "lima-vz-entitlements.plist"), } diff --git a/packages/browseros/build/common/server_binaries_test.py b/packages/browseros/build/common/server_binaries_test.py index f258bb0f7..12fac0ccf 100644 --- a/packages/browseros/build/common/server_binaries_test.py +++ b/packages/browseros/build/common/server_binaries_test.py @@ -1,6 +1,7 @@ #!/usr/bin/env python3 """Tests for the shared server-binary sign table.""" +import plistlib import unittest from pathlib import Path @@ -33,6 +34,16 @@ def test_macos_sign_spec_for_resolves_by_stem(self): self.assertEqual(spec.identifier_suffix, "limactl") self.assertIsNone(macos_sign_spec_for(Path("/x/not_a_known_binary"))) + def test_limactl_uses_vz_entitlement(self): + spec = macos_sign_spec_for(Path("/x/limactl")) + assert spec is not None + self.assertEqual(spec.entitlements, "lima-vz-entitlements.plist") + + entitlements_name = spec.entitlements + assert entitlements_name is not None + entitlements = plistlib.loads((ENTITLEMENTS_DIR / entitlements_name).read_bytes()) + self.assertIs(entitlements.get("com.apple.security.virtualization"), True) + def test_matches_lima_bundle_layout(self): keys = set(MACOS_SERVER_BINARIES.keys()) self.assertIn("limactl", keys) diff --git a/packages/browseros/resources/entitlements/lima-vz-entitlements.plist b/packages/browseros/resources/entitlements/lima-vz-entitlements.plist new file mode 100644 index 000000000..00ffd62aa --- /dev/null +++ b/packages/browseros/resources/entitlements/lima-vz-entitlements.plist @@ -0,0 +1,8 @@ + + + + + com.apple.security.virtualization + + + From 239dcecb9dc2c605b9b5774702de10baf4bafbfd Mon Sep 17 00:00:00 2001 From: Nikhil Sonti Date: Sun, 26 Apr 2026 13:34:48 -0700 Subject: [PATCH 2/2] fix: address limactl entitlement test review --- packages/browseros/build/common/server_binaries_test.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/packages/browseros/build/common/server_binaries_test.py b/packages/browseros/build/common/server_binaries_test.py index 12fac0ccf..b41e2891b 100644 --- a/packages/browseros/build/common/server_binaries_test.py +++ b/packages/browseros/build/common/server_binaries_test.py @@ -35,12 +35,11 @@ def test_macos_sign_spec_for_resolves_by_stem(self): self.assertIsNone(macos_sign_spec_for(Path("/x/not_a_known_binary"))) def test_limactl_uses_vz_entitlement(self): + entitlements_name = "lima-vz-entitlements.plist" spec = macos_sign_spec_for(Path("/x/limactl")) assert spec is not None - self.assertEqual(spec.entitlements, "lima-vz-entitlements.plist") + self.assertEqual(spec.entitlements, entitlements_name) - entitlements_name = spec.entitlements - assert entitlements_name is not None entitlements = plistlib.loads((ENTITLEMENTS_DIR / entitlements_name).read_bytes()) self.assertIs(entitlements.get("com.apple.security.virtualization"), True)