Background App does not run with Hardened Runtime

John_Lowrey · June 8, 2019, 11:03pm

Hello All,

Trying to build an app that is background only using the Application is Agent or Application is background only plist keys. This works as expected with routine code signing. App does not run when signed with hardened runtime. It does notarize fine.

Using Xojo 2019 r1.1, Mojave 10.14.5

Any help with what I am missing?

Sam_Rowlands · June 9, 2019, 12:28am

Can you list which plist keys and their corresponding values.

John_Lowrey · June 9, 2019, 5:31am

Figured it out.

So to have my app run as a background app, I had to set this key:

LSUIElement

With normal code signing, it would work fine. With hardened run time, it would not start up. No crash or error reporting. It looks like it just got kill 9 signal and died.

Added com.apple.security.cs.disable-library-validation entitlement and resigned it and it ran as expected. Passed notarization as well.

ChristopheDV · June 9, 2019, 1:06pm

You should mark that as resolved here. Others (and I) will benefit from this info.

John_Lowrey · June 9, 2019, 3:28pm

i dug a little further. Turns out my root problem was I missed code signing the Xojo framework. I had gotten everything else. Once I fixed that, the added entitlement was no longer needed.

Greg_O_Lone · June 9, 2019, 3:43pm

FWIW, that seems to be essentially what that entitlement does… lets you use frameworks signed by other developers.

Christian_Schmitz · June 9, 2019, 10:28pm

Xojo should add entitlement com.apple.security.cs.disable-library-validation automatically.

I made a feedback case for this: <https://xojo.com/issue/55982>

Sam_Rowlands · June 10, 2019, 12:17am

[quote=440760:@Christian Schmitz]Xojo should add entitlement com.apple.security.cs.disable-library-validation automatically.

I made a feedback case for this: <https://xojo.com/issue/55982>[/quote]
I disagree with this; because you’re asking for a unneeded special entitlement to circumnavigate the security. This situation is resolved if you code sign the bundle correctly (at least according to their outdated documents). In the case of the App Store; Apple doesn’t like to allow ‘special’ entitlements, if they suddenly decide that too many people are incorrectly using this, they might choose to block it, and in which case you suddenly can’t Notarize and release the apps on your own site.

Correctly following the code signing guidelines as the OP has pointed out resolves this issue.

Christian_Schmitz · June 10, 2019, 12:20am

Xcode 11 adds extra entitlements for debugging.
I may need to watch the video again, but it may be good for debugging to have it added automatically.

For distribution, I recommend to sign Xojo framework and plugins with same certificate as the app itself.