How to enable Hardened Runtime

  1. 2 weeks ago
    Edited 2 weeks ago

    Hi,

    I've created an app which works perfectly. However, notarization failed because the app has does not have hardend runtime enabled. When enabling hardend runtime during the signing process, the app gets damaged and will no longer open/run.

    Is there an option to enabled hardend runtime in Xojo? It seems xCode has such a feature build into the dev environment. https://developer.apple.com/documentation/security/hardened_runtime

    Thanks

    @Tim P I've also tried --options runtime ... It did not work

    I used another command line ...
    codesign --force --options runtime --deep --sign "Developer ID Application: XXX (XXX)" "myApp.app"

    And this seems to work. Currently my app is signed and notarized and opens normally :-)

    @Jürg O Thanks for all your feedback. Using the --timestamp was not necessary ... :-)

  2. Tim P

    Feb 11 Pre-Release Testers, Xojo Pro Rochester, NY

    @Tim M When enabling hardend runtime during the signing process, the app gets damaged and will nog longer open/run.

    Then your app does something that violates the purpose of the hardened runtime. You need to work that out.

  3. Hi Tim,

    The same thing happens when I create a new empty project, build it, remove the extended attributes and then sign it using the enabled hardend runtime attributes. So the problem exists in an empty project...

  4. Tim P

    Feb 11 Pre-Release Testers, Xojo Pro Rochester, NY
    Edited 2 weeks ago

    @Tim M The same thing happens when I create a new empty project, build it, remove the extended attributes and then sign it using the enabled hardend runtime attributes. So the problem exists in an empty project...

    Hm, that's no good. If it were a problem with Xojo, we'd be hearing from quite a number of people. I deliver my app signed and notarized with a hardened runtime. It's built with Xojo and signed with App Wrapper.

    What is your build, sign, and notarize process? Perhaps there's a hiccup there to find.

  5. Jürg O

    Feb 11 Pre-Release Testers, Xojo Pro
    Edited 2 weeks ago

    @Tim M Is there an option to enabled hardend runtime in Xojo?

    No, there isn't.

    @Tim M sign it using the enabled hardend runtime attributes

    Correct. You're enabling it with the appropriate parameters when CodeSigning your application: codesign --options runtime ...other parameters as usual...

    @Tim M So the problem exists in an empty project...

    I don't see that :)
    If you want to look at an example showing how you can do it on your own: Xojo2DMG

    @Tim P It's built with Xojo and signed with App Wrapper.

    Highly recommended, too... Here's the link to AppWrapper .

    @Tim P What is your build, sign, and notarize process? Perhaps there's a hiccup there to find.

    Right... without knowing what you are doing exactly it's just shots in the dark.

  6. Edited 2 weeks ago

    I'm using terminal. First, I do this...
    xattr -cr 'myApp.app'

    After this, the app still works .. Then
    codesign -f -s "Developer ID Application: XXX (XXX)" "myApp.app" --options=runtime

    Now, the app is damaged

    using this code, the app still works, but hardend runtime is not enabled
    codesign -f -s "Developer ID Application: XXX (XXX)" "myApp.app"

  7. Tim P

    Feb 11 Pre-Release Testers, Xojo Pro Rochester, NY
    Edited 2 weeks ago

    @Tim M --options=runtime

    Try --options runtime instead.

  8. Jürg O

    Feb 11 Pre-Release Testers, Xojo Pro
    Edited 2 weeks ago

    @Tim P Try --options runtime instead.

    And a secure Timestamp is required, too...
    codesign --timestamp --options runtime (and the other parameters you already are using)

    btw: I've tried to explain a couple of requirement changes that came into effect on Feb 3 2020 here .

  9. Tim M

    Feb 11 Answer

    @Tim P I've also tried --options runtime ... It did not work

    I used another command line ...
    codesign --force --options runtime --deep --sign "Developer ID Application: XXX (XXX)" "myApp.app"

    And this seems to work. Currently my app is signed and notarized and opens normally :-)

    @Jürg O Thanks for all your feedback. Using the --timestamp was not necessary ... :-)

  10. Jürg O

    Feb 11 Pre-Release Testers, Xojo Pro

    The --deep has been necessary for you most likely because of this requirement: Has components not signed with your Developer ID ;)

    @Tim M And this seems to work.

    Great. Don't forget to test your app's behavior now that you have (to have) the Hardened Runtime enabled...

    I can only repeat : I encourage everyone to CodeSign (with Hardened Runtime) each and every DebugRun on macOS, allowing you to develop and debug as close to a Release Build as possible.

  11. Edited 2 weeks ago

    @Jürg Otter It would be nice if we could do this from within Xojo, as part of the build process. That would be awesome ... Some automated feature running the command lines in the background ...

  12. Tim P

    Feb 11 Pre-Release Testers, Xojo Pro Rochester, NY

    That's been on people's want list since at least RealStudio 2012 Feedback Case #20338

  13. Jürg O

    Feb 11 Pre-Release Testers, Xojo Pro
    Edited 2 weeks ago

    @Tim M @Jürg Otter It would be nice if we could do this from within Xojo, as part of the build process. That would be awesome ... Some automated feature running the command lines in the background ...

    You can do this yourself with a Post Build Script meanwhile.
    Here is an example project ...

or Sign Up to reply!