Enabling "Hardened Runtime" from outside of XCode
This question is prompted by the new Notarization requirements that Apple will enforce for Mac Apps distributed outside of the Mac App Store targeting Mojave (in the near future.)
I maintain a suite of self-hosted, Developer ID Application certificate-signed apps, using a custom runtime (Excelsior JET for Mac Java JIT Compiler / Runtime); custom bash scripts (are used as part of the apps in the installation process) and automate the builds. Therefore, there are no XCod` projects per-se involved in this process.
After consulting the developer docs, I wasn't able to find a way to activate and customize this "hardened mode" (described here) by using any kind utilities from XCode, but from the CLI (instead of the IDE GUI). Is there any way to accomplish this?
Are you looking for codesign's --options runtime
argument? I believe that's all you need to enable the hardened runtime.
Apple has a couple of documents that make it pretty easy to figure out your own notarization flow:
- https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
- https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues
This is documented by Apple for using the command line tools xcode-select
, xcrun
and altool
- https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow
sudo xcode-select -s /path/to/Xcode10.app
xcrun altool --notarize-app --primary-bundle-id "com.example.ote.zip" --username "AC_USERNAME" --password "@keychain:AC_PASSWORD" --file OvernightTextEditor_11.6.8.zip
So you should be able to incorporate this into whatever packaging or CI tools you use. We’ll be using this heavily at work as we start to dig into how we’ll need to notarize our various DIY toolsets and scripts.
This doesn’t exactly cover the hardening / entitlements, but I expect you’ll get JSON back from the notarization request that helps you craft the correct plist for your exceptions to the general hardening that is applied when the OS runs a notarized app.
I have several executables in my app. Hardening takes place when all of them are signed with the --options runtime
. In the end, of course, I sign the app bundle itself the same way (see the links I provided in my last comment above).