From fb6166f7f3aa8a099772f9b7e8c5a105c76b5758 Mon Sep 17 00:00:00 2001
From: James Magahern <james@magahern.com>
Date: Thu, 25 Jun 2026 00:26:11 -0700
Subject: [PATCH] server: Update README regarding system setup for private
 entitlements

---
 .../MessagesBridge.xcodeproj/project.pbxproj  |  3 ++
 server/README.md                              | 33 +++++++++++++++++--
 2 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/server/MessagesBridge.xcodeproj/project.pbxproj b/server/MessagesBridge.xcodeproj/project.pbxproj
index b43992c..26ba1a9 100644
--- a/server/MessagesBridge.xcodeproj/project.pbxproj
+++ b/server/MessagesBridge.xcodeproj/project.pbxproj
@@ -1081,6 +1081,7 @@
 				CODE_SIGN_STYLE = Automatic;
 				GCC_PREFIX_HEADER = kordophone/KPServer.pch;
 				OTHER_LDFLAGS = "-ObjC";
+				PRODUCT_BUNDLE_IDENTIFIER = net.buzzert.kordophoned;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SDKROOT = macosx;
 				SYSTEM_FRAMEWORK_SEARCH_PATHS = (
@@ -1094,10 +1095,12 @@
 			isa = XCBuildConfiguration;
 			buildSettings = {
 				CLANG_ENABLE_MODULES = NO;
+				CODE_SIGN_ENTITLEMENTS = "kordophone/kordophoned-RestrictedEntitlements.plist";
 				CODE_SIGN_IDENTITY = "-";
 				CODE_SIGN_STYLE = Automatic;
 				GCC_PREFIX_HEADER = kordophone/KPServer.pch;
 				OTHER_LDFLAGS = "-ObjC";
+				PRODUCT_BUNDLE_IDENTIFIER = net.buzzert.kordophoned;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SDKROOT = macosx;
 				SYSTEM_FRAMEWORK_SEARCH_PATHS = (
diff --git a/server/README.md b/server/README.md
index 000dd49..26561b1 100644
--- a/server/README.md
+++ b/server/README.md
@@ -1,8 +1,36 @@
-#  Entitlements
+# Entitlements
+
+`kordophoned` uses private Messages/imagent entitlements from
+`kordophone/kordophoned-RestrictedEntitlements.plist`. When it is ad hoc signed,
+macOS may refuse to launch it with:
+
+```
+The file is adhoc signed but contains restricted entitlements
+```
+
+For local development, enable private entitlement validation and the AMFI boot
+argument, then reboot:
 
-You might to enable this default to use private entitlements
 ```
 sudo defaults write /Library/Preferences/com.apple.security.coderequirements Entitlements -string always
+sudo nvram boot-args="amfi_get_out_of_my_way=1"
+```
+
+If `boot-args` already contains other values, preserve them and append
+`amfi_get_out_of_my_way=1` instead of overwriting the whole string.
+
+To confirm the settings:
+
+```
+sudo defaults read /Library/Preferences/com.apple.security.coderequirements Entitlements
+nvram boot-args
+```
+
+To undo the AMFI boot argument later, remove it from `boot-args` or delete
+`boot-args` entirely if it only contains this value:
+
+```
+sudo nvram -d boot-args
 ```
 
 Maybe a better thing to do is to DYLD_PRELOAD `imagent` and swizzle `IMDAuditTokenTaskHasEntitlement` to always return YES. 
@@ -53,4 +81,3 @@ Then run kordophoned with the following option
 `kordophone -s -c certificate.p12 -a password.asc`
 
 You may need to unlock your GPG keyring (via gpg-agent) when running kordophoned the first time.
-