Recent

Author Topic: How to enable hardened runtime  (Read 480 times)

jwdietrich

  • Hero Member
  • *****
  • Posts: 1032
    • formatio reticularis
How to enable hardened runtime
« on: May 31, 2019, 09:32:03 am »
In the near future macOS will require applications to be notarized. One of the preconditions for notarizing is that the hardened runtime capability is enabled.

The steps seem to be easy within Xcode (see https://help.apple.com/xcode/mac/current/#/devf87a2ac8f for details), but is there a way to do this outside Xcode?
function GetRandomNumber: integer; // xkcd.com
begin
  GetRandomNumber := 4; // chosen by fair dice roll. Guaranteed to be random.
end;

http://www.formatio-reticularis.de

Lazarus 2.0.2 | FPC 3.0.4 | PPC, Intel, ARM | macOS, Windows, Linux

john horst

  • Jr. Member
  • **
  • Posts: 53
    • JHorst
Re: How to enable hardened runtime
« Reply #1 on: May 31, 2019, 10:50:11 am »
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow

Upload Your App to the Notarization Service

Code: Bash  [Select]
  1. $ xcrun altool --notarize-app --primary-bundle-id "com.example.ote.zip" --username "AC_USERNAME" --password "@keychain:AC_PASSWORD" --file OvernightTextEditor_11.6.8.zip
« Last Edit: May 31, 2019, 10:51:56 am by john horst »

Hansaplast

  • Hero Member
  • *****
  • Posts: 538
  • Tweaking4All.com
    • Tweaking4All
Re: How to enable hardened runtime
« Reply #2 on: May 31, 2019, 11:27:48 am »
(source and source)


Don't you need to sign the bundle first before submitting it to the notarize service (I've never done this, but was just curious)?
From StackOverflow;



Code: [Select]
codesign --force  --verbose=9 -s "Developer ID Application: XXXXXXX" --options runtime --deep --entitlements ./entitlements Myapp.app

where "--options runtime" seems to be a critical option to add.


jwdietrich

  • Hero Member
  • *****
  • Posts: 1032
    • formatio reticularis
Re: How to enable hardened runtime
« Reply #3 on: June 02, 2019, 12:08:43 pm »
Don't you need to sign the bundle first before submitting it to the notarize service (I've never done this, but was just curious)?

Yes, of course. But this isn't the only requirement.
function GetRandomNumber: integer; // xkcd.com
begin
  GetRandomNumber := 4; // chosen by fair dice roll. Guaranteed to be random.
end;

http://www.formatio-reticularis.de

Lazarus 2.0.2 | FPC 3.0.4 | PPC, Intel, ARM | macOS, Windows, Linux