add entitlements file (required for pyinstaller binary notarization)

https://developer.apple.com/forums/thread/695989
pyinstaller/pyinstaller#4629

Author: umbynos

.github/workflows/release.yml

@@ -76,9 +76,15 @@ jobs:
         run: pip install pyinstaller==5.0.1
 
       - name: Build
+        if: matrix.os != 'macos-10.15'
         working-directory: ${{ env.MCUBOOT_PATH }}/scripts/
         run: pyinstaller --onefile main.py -n ${{ env.PROJECT_NAME }}
 
+      - name: Build macOS
+        if: matrix.os == 'macos-10.15'
+        working-directory: ${{ env.MCUBOOT_PATH }}/scripts/
+        run: pyinstaller --osx-entitlements-file ${{ env.IMGTOOL_PACKING_PATH }}/entitlements.plist --onefile main.py -n ${{ env.PROJECT_NAME }}
+
       - name: Package
         if: matrix.os == 'windows-latest'
         working-directory: ${{ env.MCUBOOT_PATH }}/scripts/${{ env.DIST_DIR }}

entitlements.plist

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <!--
+    These are required for binaries built by PyInstaller.
+    For more info, see:
+      https://developer.apple.com/documentation/security/hardened_runtime
+      https://github.com/pyinstaller/pyinstaller/issues/4629
+  -->
+  <dict>
+    <key>com.apple.security.cs.allow-jit</key>
+	  <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+  </dict>
+</plist>

gon.config.hcl

@@ -5,6 +5,7 @@ bundle_id = "cc.arduino.imgtool"
 
 sign {
   application_identity = "Developer ID Application: ARDUINO SA (7KT7ZWMCJT)"
+  entitlements_file = "entitlements.plist"
 }
 
 # Ask Gon for zip output to force notarization process to take place.