Directions for provisioning entitlements that require hardened runtime

[ed-irl]

Repro here: https://github.com/ed-irl/bazel-ios-codesigning-repro. You must make some changes to the repo code (outlined in the README.md) attempt to run the signed app on a device to reproduce the bug.

The code signing profile actually does seem to work, but when you attempt to launch it on a device the signature fails to verify with a message: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.0SjU0G/extracted/TestBazel.app : 0xe8008015 (A valid provisioning profile for this executable was not found.)

The repro doesn't contain an example using manual profiles, but in the project I'm working on I was also unable to get verifiable provisioning to work with manual signing (with the same error).

[ed-irl]

After working on this a little bit more, I've been able to further isolate the problem to entitlements that require hardened runtime. Simply adding codesignopts = ["--options=runtime"], as suggested by some references (eg. https://wiki.freepascal.org/Hardened_runtime_for_macOS) doesn't work in the project I attached.