Lazarus

Programming => Operating Systems => macOS / Mac OS X => Topic started by: jwdietrich on May 31, 2019, 09:32:03 am

Title: How to enable hardened runtime
Post by: jwdietrich on May 31, 2019, 09:32:03 am
In the near future macOS will require applications to be notarized. One of the preconditions for notarizing is that the hardened runtime capability is enabled.

The steps seem to be easy within Xcode (see https://help.apple.com/xcode/mac/current/#/devf87a2ac8f (https://help.apple.com/xcode/mac/current/#/devf87a2ac8f) for details), but is there a way to do this outside Xcode?
Title: Re: How to enable hardened runtime
Post by: john horst on May 31, 2019, 10:50:11 am
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow (https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow)

Upload Your App to the Notarization Service

Code: Bash  [Select]
  1. $ xcrun altool --notarize-app --primary-bundle-id "com.example.ote.zip" --username "AC_USERNAME" --password "@keychain:AC_PASSWORD" --file OvernightTextEditor_11.6.8.zip
Title: Re: How to enable hardened runtime
Post by: Hansaplast on May 31, 2019, 11:27:48 am
(source (https://stackoverflow.com/questions/52905940/how-to-codesign-and-enable-the-hardened-runtime-for-a-3rd-party-cli-on-xcode) and source (https://stackoverflow.com/questions/53101626/how-to-notarize-an-app-bundle-containing-helpers-embedded-in-it))


Don't you need to sign the bundle first before submitting it to the notarize service (I've never done this, but was just curious)?
From StackOverflow;



Code: [Select]
codesign --force  --verbose=9 -s "Developer ID Application: XXXXXXX" --options runtime --deep --entitlements ./entitlements Myapp.app

where "--options runtime" seems to be a critical option to add.

Title: Re: How to enable hardened runtime
Post by: jwdietrich on June 02, 2019, 12:08:43 pm
Don't you need to sign the bundle first before submitting it to the notarize service (I've never done this, but was just curious)?

Yes, of course. But this isn't the only requirement.