From 8635dd83ba546c2f0fe2fcd321842310097b2b7e Mon Sep 17 00:00:00 2001
From: Timothy Schoen <44585538+timothyschoen@users.noreply.github.com>
Date: Thu, 15 Jan 2026 10:33:45 +0100
Subject: [PATCH 1/4] Fix dfu-util untrusted warning on macOS

---
 build.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/build.sh b/build.sh
index 356e8d5..b157e91 100755
--- a/build.sh
+++ b/build.sh
@@ -240,6 +240,8 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
 <dict>
     <key>com.apple.security.cs.disable-library-validation</key>
     <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
 </dict>
 </plist>
 EOF

From b738c324d559505ef1931e63d7cebc40bda410f2 Mon Sep 17 00:00:00 2001
From: Timothy Schoen <44585538+timothyschoen@users.noreply.github.com>
Date: Thu, 15 Jan 2026 11:08:41 +0100
Subject: [PATCH 2/4] Allow dfu-util to access USB devices

---
 build.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/build.sh b/build.sh
index b157e91..ced8c38 100755
--- a/build.sh
+++ b/build.sh
@@ -242,6 +242,8 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
     <true/>
     <key>com.apple.security.cs.allow-dyld-environment-variables</key>
     <true/>
+    <key>com.apple.security.device.usb</key>
+    <true/>
 </dict>
 </plist>
 EOF

From 6706a0a4274b607bbbfd539e4b34b967e5d97d4e Mon Sep 17 00:00:00 2001
From: Timothy Schoen <44585538+timothyschoen@users.noreply.github.com>
Date: Thu, 15 Jan 2026 11:18:00 +0100
Subject: [PATCH 3/4] Limit extra entitlements to dfu-util only, remove dfu
 prefix/suffix executables

---
 build.sh | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/build.sh b/build.sh
index ced8c38..c0a641a 100755
--- a/build.sh
+++ b/build.sh
@@ -129,8 +129,6 @@ fi
 
 # copy dfu-util
 cp $(which dfu-util) ./Heavy/bin/dfu-util
-cp $(which dfu-prefix) ./Heavy/bin/dfu-prefix
-cp $(which dfu-suffix) ./Heavy/bin/dfu-suffix
 
 if [[ "$OSTYPE" == "linux-gnu"* ]]; then
     cp "$(ldconfig -p | grep libusb-1.0.so | tr ' ' '\n' | grep /)" ./Heavy/lib/libusb-1.0.so
@@ -249,10 +247,11 @@ elif [[ "$OSTYPE" == "darwin"* ]]; then
 EOF
 
     find ./Heavy -type f -perm +111 -exec file {} \; | grep "Mach-O.*executable" | cut -d: -f1 | while read f; do
-        /usr/bin/codesign --force --options runtime --entitlements entitlements.plist -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" "$f"
+        /usr/bin/codesign --force --options runtime -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" "$f"
     done
-    find ./Heavy -type f \( -name "*.dylib" -o -name "*.so" \) -exec /usr/bin/codesign --force --options runtime --entitlements entitlements.plist -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" {} \;
-
+    find ./Heavy -type f \( -name "*.dylib" -o -name "*.so" \) -exec /usr/bin/codesign --force --options runtime -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" {} \;
+    /usr/bin/codesign --force --options runtime --entitlements entitlements.plist -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" ./Heavy/bin/dfu-util
+    
     # Submit the zipped executable for notarization
     # This makes sure we can at least run it with online notarization
     ditto -c -k --keepParent ./Heavy Heavy.zip

From f5a066d0ef391201fe60db9f32e7546e854d6404 Mon Sep 17 00:00:00 2001
From: Timothy Schoen <44585538+timothyschoen@users.noreply.github.com>
Date: Thu, 15 Jan 2026 11:33:28 +0100
Subject: [PATCH 4/4] Don't use hardened runtime on dfu-util

---
 build.sh | 19 ++-----------------
 1 file changed, 2 insertions(+), 17 deletions(-)

diff --git a/build.sh b/build.sh
index c0a641a..8c23bfc 100755
--- a/build.sh
+++ b/build.sh
@@ -231,26 +231,11 @@ if [[ "$OSTYPE" == "linux-gnu"* ]]; then
 elif [[ "$OSTYPE" == "darwin"* ]]; then
     mv ./hvcc/dist/pyinstaller/macosx_15_0_x86_64/Heavy Heavy/bin/Heavy/
 
-    cat > entitlements.plist << EOF
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>com.apple.security.cs.disable-library-validation</key>
-    <true/>
-    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
-    <true/>
-    <key>com.apple.security.device.usb</key>
-    <true/>
-</dict>
-</plist>
-EOF
-
     find ./Heavy -type f -perm +111 -exec file {} \; | grep "Mach-O.*executable" | cut -d: -f1 | while read f; do
         /usr/bin/codesign --force --options runtime -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" "$f"
     done
-    find ./Heavy -type f \( -name "*.dylib" -o -name "*.so" \) -exec /usr/bin/codesign --force --options runtime -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" {} \;
-    /usr/bin/codesign --force --options runtime --entitlements entitlements.plist -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" ./Heavy/bin/dfu-util
+    find ./Heavy -type f \( -name "*.dylib" -o -name "*.so" \) -exec /usr/bin/codesign --force -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" {} \;
+    /usr/bin/codesign --force -s "Developer ID Application: Timothy Schoen (7SV7JPRR2L)" ./Heavy/bin/dfu-util
     
     # Submit the zipped executable for notarization
     # This makes sure we can at least run it with online notarization