From 5af2f33a9d01b825aa7de8d3a6e6ef0dce94230b Mon Sep 17 00:00:00 2001
From: khcrysalis <97859147+khcrysalis@users.noreply.github.com>
Date: Mon, 16 Feb 2026 13:12:36 -0800
Subject: [PATCH] fix: apply 0o775 permissions

On iOS, binaries without `0o755` permissions are able to be executed just fine without this change.

On macOS, this fix is needed because often 3rd party developers don't properly set permissions when distributing their iOS apps, making their app unable to properly run on macOS (saying that the app is damaged, or something similar).
---
 apple-codesign/src/bundle_signing.rs | 16 ++++++++++++++++
 apple-codesign/src/signing.rs        |  9 +++++++++
 2 files changed, 25 insertions(+)

diff --git a/apple-codesign/src/bundle_signing.rs b/apple-codesign/src/bundle_signing.rs
index e00f55c85..80213b7dd 100644
--- a/apple-codesign/src/bundle_signing.rs
+++ b/apple-codesign/src/bundle_signing.rs
@@ -469,6 +469,14 @@ impl<'a, 'key> BundleSigningContext<'a, 'key> {
     ) -> Result<(PathBuf, SignedMachOInfo), AppleCodesignError> {
         warn!("signing Mach-O file {}", bundle_rel_path.display());
 
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            let mut perms = std::fs::metadata(source_path)?.permissions();
+            perms.set_mode(0o755);
+            std::fs::set_permissions(source_path, perms)?;
+        }
+
         let macho_data = std::fs::read(source_path)?;
         let signer = MachOSigner::new(&macho_data)?;
 
@@ -723,6 +731,14 @@ impl SingleBundleSigner {
         if let Some(exe) = main_exe {
             warn!("signing main executable {}", exe.relative_path().display());
 
+            #[cfg(unix)]
+            {
+                use std::os::unix::fs::PermissionsExt;
+                let mut perms = std::fs::metadata(exe.absolute_path())?.permissions();
+                perms.set_mode(0o755);
+                std::fs::set_permissions(exe.absolute_path(), perms)?;
+            }
+
             let macho_data = std::fs::read(exe.absolute_path())?;
             let signer = MachOSigner::new(&macho_data)?;
 
diff --git a/apple-codesign/src/signing.rs b/apple-codesign/src/signing.rs
index 5d6b4f4d9..6ea511b58 100644
--- a/apple-codesign/src/signing.rs
+++ b/apple-codesign/src/signing.rs
@@ -66,6 +66,15 @@ impl<'key> UnifiedSigner<'key> {
         let output_path = output_path.as_ref();
 
         warn!("signing {} as a Mach-O binary", input_path.display());
+
+        #[cfg(unix)]
+        {
+            use std::os::unix::fs::PermissionsExt;
+            let mut perms = std::fs::metadata(input_path)?.permissions();
+            perms.set_mode(0o755);
+            std::fs::set_permissions(input_path, perms)?;
+        }
+
         let macho_data = std::fs::read(input_path)?;
 
         let mut settings = self.settings.clone();