Embed provisioning profile

[fkorotkov]

Right now if a binary needs restricted entitlements then a host should have provisioning profile installed or the "app" should embed it. Otherwise error like the following will occur and macOS will kill the binary:

taskgated-helper	Disallowing tart because no eligible provisioning profiles found
mac_vnode_check_signature: tart: code signature validation failed fatally: When validating tart:
  Code has restricted entitlements, but the validation of its code signature failed.

I found this piece of documentation:

Some macOS products, like daemons and command-line tools, ship as a standalone executable. A standalone executable can’t claim a restricted entitlement because there’s no place to embed the provisioning profile that authorizes that claim. If your standalone executable needs to do this, wrap it in an app-like structure. For an example of this, see Signing a Daemon with a Restricted Entitlement.

If your standalone executable needs to do this, wrap it in an app-like structure. part is very concerning for just distributing binaries.

I haven't yet figured out how to embed provisioning profile with a binary so decided to create this issue/feature request to surface the use case and see if someone experienced it.