server: Update README regarding system setup for private entitlements

2026-06-25 00:26:11 -07:00
parent ad3f1d8356
commit fb6166f7f3
2 changed files with 33 additions and 3 deletions
--- a/server/README.md
+++ b/server/README.md
@@ -1,8 +1,36 @@
-#  Entitlements
+# Entitlements
+
+`kordophoned` uses private Messages/imagent entitlements from
+`kordophone/kordophoned-RestrictedEntitlements.plist`. When it is ad hoc signed,
+macOS may refuse to launch it with:
+
+```
+The file is adhoc signed but contains restricted entitlements
+```
+
+For local development, enable private entitlement validation and the AMFI boot
+argument, then reboot:

-You might to enable this default to use private entitlements
 ```
 sudo defaults write /Library/Preferences/com.apple.security.coderequirements Entitlements -string always
+sudo nvram boot-args="amfi_get_out_of_my_way=1"
+```
+
+If `boot-args` already contains other values, preserve them and append
+`amfi_get_out_of_my_way=1` instead of overwriting the whole string.
+
+To confirm the settings:
+
+```
+sudo defaults read /Library/Preferences/com.apple.security.coderequirements Entitlements
+nvram boot-args
+```
+
+To undo the AMFI boot argument later, remove it from `boot-args` or delete
+`boot-args` entirely if it only contains this value:
+
+```
+sudo nvram -d boot-args
 ```

 Maybe a better thing to do is to DYLD_PRELOAD `imagent` and swizzle `IMDAuditTokenTaskHasEntitlement` to always return YES. 
@@ -53,4 +81,3 @@ Then run kordophoned with the following option
 `kordophone -s -c certificate.p12 -a password.asc`

 You may need to unlock your GPG keyring (via gpg-agent) when running kordophoned the first time.
-