10.14 Hardened Runtime and App Notarization

  1. last year

    Michael D

    15 Aug 2018 Pre-Release Testers, Xojo Pro

    Apple's introducing a new higher level of code-signing for apps. See https://help.apple.com/xcode/mac/current/#/dev88332a81e

    I'm assuming this is something we can not do with Xojo apps as it requires one to build using the "Hardened Runtime" in Xcode?

  2. Kevin G

    15 Aug 2018 Pre-Release Testers, Xojo Pro Gatesheed, England

    This is what I have found out so far about the hardened runtime...
    1. The app must be built using the macOS 10.14 SDK. Not sure if that would apply to the executable, the Xojo Framework and / or 3rd party plugins.

    2. All dynamically loaded modules (plugins) have to be signed and by the same authority or Apple.

    3. JIT executable code must have the mmap flag MAP_JIT set. This could affect XojoScript.

    4. The app must have a set of entitlements.

    As for notarising the app I found some information here:
    https://twitter.com/rosyna/status/1004418504408252416
    The only step that appears to be missing is downloading the notarised app afterwards via the command line.

  3. Tim J

    15 Aug 2018 Pre-Release Testers, Xojo Pro Dehydrating in AZ

    I used to be a big security advocate, but this is not security. It just defines an additional, yet indirect effort by Apple to lock other players out of the app game. The only good news is that they have still provided a mechanism for the end user to turn the requirement of that "feature" off.

    11 of our largest clients are seriously examining Windows and Linux for large scale Mac replacements for FY 19 just because of things like this compounding the issues that heir IT teams had to deal with in the moves to 10.11 and 10.13 already.

  4. Beatrix W

    15 Aug 2018 Pre-Release Testers, Third Party Store Europe (Germany)

    1. AFAIK this applies to the Xojo framework and the plugins. Since Xojo and the plugin authors want at least some backward compatibility this alone will make problems.

    4. Sigh, that stupidity again.

    The workflow from Twitter seems very painful. I still have a Radar issue open for using XCode. For all my other issues I have had some communication. On this one there was only silence.

  5. Christoph D

    16 Aug 2018 Pre-Release Testers, Xojo Pro
    Edited last year

    Do I understand it correctly Xojo compiled apps cannot Notarized?
    If yes, this is about the end for Xojo macOS.

    If we need to tell out customers to disable things in macOS to run our apps, we are going to loose a lot of customers for sure.

    Not good..

  6. Beatrix W

    16 Aug 2018 Pre-Release Testers, Third Party Store Europe (Germany)

    You can't notarize your apps in XCode. The process described in the Twitter messages is horrible.

    And you can't notarize your apps anyways, because all of us need at least some time of backwards compatibility with older versions of macOS. You would need a special version of Xojo and of the plugins that use system functionality AFAIK. I'm not very deep into these topics but this is my understanding.

  7. Christian S

    16 Aug 2018 Pre-Release Testers, Xojo Pro, XDC Speakers, Third Party Store Germany

    I thought this is all optional for now, so not a reason to worry for now?
    And later we probably get someone to write a tool to do all the steps for Xojo apps without Xcode, e.g. using command line.

  8. Beatrix W

    16 Aug 2018 Pre-Release Testers, Third Party Store Europe (Germany)

    Yes and no. Yes, it's "optional" right now. But with the 64bit warning we have seen again that Apple likes to scare users. Who knows what stupid message Apple will show to the users when the app is not notarized?

  9. Sascha S

    16 Aug 2018 Pre-Release Testers, Xojo Pro Germany, Lower Saxonary

    @ChristianSchmitz And later we probably get someone to write a tool to do all the steps for Xojo apps without Xcode, e.g. using command line.

    A task for App Wrapper by @Sam R ? :)

  10. Sam -> "Monetarizer" application?

  11. Sam R

    17 Aug 2018 Pre-Release Testers, Xojo Pro, Third Party Store Hengchun, Pingtung, Taiwan

    @SaschaSchneppmueller A task for App Wrapper by @Sam R ? :)

    I've been paying attention from the sidelines on this new "security" mechanism, I don't see that it will be enforced soon, I actually expected the App Sandbox to be enforced outside of the App Store by now.

    Once the dust has settled and the complete process has been revealed, then I attempt to implement it into App Wrapper.

  12. 11 months ago

    Travis H

    19 Oct 2018 Pre-Release Testers, Xojo Pro

    Here is what seems to have worked for me for a Xojo app distributed via a signed DMG.

    1. Open the Application Loader developer tool in Xcode. Log in to your developer account and check the box to remember the login so a keychain entry is created. This allows you to skip entering your password in subsequent steps.

    2. Code sign your app with the hardened runtime option (you may need entitlements if you are accessing any protected resources). For example:

    $ codesign --force --options runtime --deep --sign "Developer ID Application: COMPANYNAME" MYAPP.app

    3. Bundle the app into a signed DMG for distribution. Steps omitted.

    4. Upload the signed DMG for notarization:

    $ xcrun altool --notarize-app -f MYAPP.dmg --primary-bundle-id MYBUNDLEID -u MYAPPLEID -p @keychain:"Application Loader: MYAPPLEID"

    5. A RequestUUID is returned. Periodically check the status of the notarization until it has completed:

    $ xcrun altool --notarization-info REQUESTUUID -u MYAPPLEID -p @keychain:"Application Loader: MYAPPLEID"

    6. When the notarization is complete, staple the ticket to the DMG:

    $ xcrun stapler staple -v MYAPP.dmg

    7. After installing your app, verify that it is notarized:

    $ spctl -a -v /Applications/MYAPP.app
    MYAPP.app: accepted
    source=Notarized Developer ID
  13. Thom M

    19 Oct 2018 Pre-Release Testers Greater Hartford Area, CT

    @ChristianSchmitz I thought this is all optional for now, so not a reason to worry for now?
    And later we probably get someone to write a tool to do all the steps for Xojo apps without Xcode, e.g. using command line.

    Probably becoming required sooner than expected: https://www.idownloadblog.com/2018/10/19/gatekeeper-future-macos-notarized/

  14. Thom M

    19 Oct 2018 Pre-Release Testers Greater Hartford Area, CT

    @Tim J I used to be a big security advocate, but this is not security. It just defines an additional, yet indirect effort by Apple to lock other players out of the app game. The only good news is that they have still provided a mechanism for the end user to turn the requirement of that "feature" off.

    11 of our largest clients are seriously examining Windows and Linux for large scale Mac replacements for FY 19 just because of things like this compounding the issues that heir IT teams had to deal with in the moves to 10.11 and 10.13 already.

    I know this is a necro'd thread, but here's the deal with notarization. When you distribute through the app store, Apple scans your app for certain behaviors and automatically rejects before going to a human for review. The Developer ID program is good, but has no such protection. Malware can be signed and distributed outside the app store. Notarization combines the two. Users get the benefit of binaries that have been pre-scanned by Apple, while developers don't have to distribute via the app store.

    It's not about locking anybody out. Well... except for malware developers.

  15. Christoph D

    19 Oct 2018 Pre-Release Testers, Xojo Pro

    @Thom M Probably becoming required sooner than expected: https://www.idownloadblog.com/2018/10/19/gatekeeper-future-macos-notarized/

    Yeah, I also read it somewhere else. This is rumoured for macOS 10.14.1 , but my guess it will be for 10.14.2

    Guess Sam has some work to do with AppWrapper. ;-) ;-) ;-)

  16. Thom M

    19 Oct 2018 Pre-Release Testers Greater Hartford Area, CT

    @Christoph Dnbsp;Vocht Yeah, I also read it somewhere else. This is rumoured for macOS 10.14.1 , but my guess it will be for 10.14.2

    Guess Sam has some work to do with AppWrapper. ;-) ;-) ;-)

    I don't think that soon. 10.15 or 10.16 is more likely. There's too many legacy apps to make the switch that quickly. You should start preparing your apps for the possibility, but it's not "sound the alarm" stage yet.

  17. Jeff T

    19 Oct 2018 Pre-Release Testers Midlands of England, Europe

    Sounds like a lot of work. :(
    I have several commercial apps.
    One comes in 3 flavours and a demo
    I have been known to release an update per month.

    7 notarisation sessions a month?
    Ewww

  18. Thom M

    19 Oct 2018 Pre-Release Testers Greater Hartford Area, CT

    @Jeff T Sounds like a lot of work. :(
    I have several commercial apps.
    One comes in 3 flavours and a demo
    I have been known to release an update per month.

    7 notarisation sessions a month?
    Ewww

    Only you can best decide how to adapt your strategy, but maybe it makes sense to consolidate where possible? Rather than that one app coming in 4 editions, maybe the differences get handled by licensing so you only need to make a single build per update? Just an idea.

    If Apple is going down this path, then we have to adapt. That'll be easier for some than others.

  19. Dave S

    19 Oct 2018 San Diego, California USA
    Edited 11 months ago

    email from Apple as of 3:30pm 19-Oct-2018

    Dear R.David Sisemore,

    macOS Mojave is here. Give Mac users even more confidence in your software distributed outside the Mac App Store by submitting it to Apple to be notarized. When users on macOS Mojave first open a notarized app, installer package, or disk image, they’ll see a more streamlined Gatekeeper dialog and have confidence that it is not known malware.

    Download Xcode 10 and submit your software today. In an upcoming release of macOS, Gatekeeper will require Developer ID–signed software to be notarized by Apple.

    Learn about getting your software notarized

    If you have any questions, contact us.

    Best regards,
    Apple Developer Relations

  20. Thom M

    19 Oct 2018 Pre-Release Testers Greater Hartford Area, CT

    @Dave S email from Apple as of 3:30pm 19-Oct-2018

    That's exactly the email referenced in the iDownloadBlog story from above.

  21. Newer ›

or Sign Up to reply!