Enabling “Hardened Runtime” from outside of XCode
https://apple.stackexchange.com/questions/357415
-
30-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
This question is prompted by the new Notarization requirements that Apple will enforce for Mac Apps distributed outside of the Mac App Store targeting Mojave (in the near future.)
I maintain a suite of self-hosted, Developer ID Application certificate-signed apps, using a custom runtime (Excelsior JET for Mac Java JIT Compiler / Runtime); custom bash scripts (are used as part of the apps in the installation process) and automate the builds. Therefore, there are no XCod` projects per-se involved in this process.
After consulting the developer docs, I wasn't able to find a way to activate and customize this "hardened mode" (described here) by using any kind utilities from XCode, but from the CLI (instead of the IDE GUI). Is there any way to accomplish this?
La solution 3
I have several executables in my app. Hardening takes place when all of them are signed with the --options runtime. In the end, of course, I sign the app bundle itself the same way (see the links I provided in my last comment above).
Autres conseils
Are you looking for codesign's --options runtime argument? I believe that's all you need to enable the hardened runtime.
Apple has a couple of documents that make it pretty easy to figure out your own notarization flow:
This is documented by Apple for using the command line tools xcode-select, xcrun and altool
sudo xcode-select -s /path/to/Xcode10.app
xcrun altool --notarize-app --primary-bundle-id "com.example.ote.zip" --username "AC_USERNAME" --password "@keychain:AC_PASSWORD" --file OvernightTextEditor_11.6.8.zip
So you should be able to incorporate this into whatever packaging or CI tools you use. We’ll be using this heavily at work as we start to dig into how we’ll need to notarize our various DIY toolsets and scripts.
This doesn’t exactly cover the hardening / entitlements, but I expect you’ll get JSON back from the notarization request that helps you craft the correct plist for your exceptions to the general hardening that is applied when the OS runs a notarized app.
