How to enable Hardened Runtime

Hi,

I’ve created an app which works perfectly. However, notarization failed because the app has does not have hardend runtime enabled. When enabling hardend runtime during the signing process, the app gets damaged and will no longer open/run.

Is there an option to enabled hardend runtime in Xojo? It seems xCode has such a feature build into the dev environment. https://developer.apple.com/documentation/security/hardened_runtime

Thanks

Then your app does something that violates the purpose of the hardened runtime. You need to work that out.

Hi Tim,

The same thing happens when I create a new empty project, build it, remove the extended attributes and then sign it using the enabled hardend runtime attributes. So the problem exists in an empty project…

Hm, that’s no good. If it were a problem with Xojo, we’d be hearing from quite a number of people. I deliver my app signed and notarized with a hardened runtime. It’s built with Xojo and signed with App Wrapper.

What is your build, sign, and notarize process? Perhaps there’s a hiccup there to find.

No, there isn’t.

Correct. You’re enabling it with the appropriate parameters when CodeSigning your application: codesign --options runtime ...other parameters as usual...

I don’t see that :slight_smile:
If you want to look at an example showing how you can do it on your own: Xojo2DMG

Highly recommended, too… Here’s the link to AppWrapper.

Right… without knowing what you are doing exactly it’s just shots in the dark.

I’m using terminal. First, I do this…
xattr -cr ‘myApp.app’

After this, the app still works … Then
codesign -f -s “Developer ID Application: XXX (XXX)” “myApp.app” --options=runtime

Now, the app is damaged

using this code, the app still works, but hardend runtime is not enabled
codesign -f -s “Developer ID Application: XXX (XXX)” “myApp.app”

Try --options runtime instead.

And a secure Timestamp is required, too…

codesign --timestamp  --options runtime

btw: I’ve tried to explain a couple of requirement changes that came into effect on Feb 3 2020 here.

@Tim Parnell I’ve also tried --options runtime … It did not work

I used another command line …
codesign --force --options runtime --deep --sign “Developer ID Application: XXX (XXX)” “myApp.app”

And this seems to work. Currently my app is signed and notarized and opens normally :slight_smile:

@Jürg Otter Thanks for all your feedback. Using the --timestamp was not necessary … :slight_smile:

The --deep has been necessary for you most likely because of this requirement: Has components not signed with your Developer ID :wink:

Great. Don’t forget to test your app’s behavior now that you have (to have) the Hardened Runtime enabled…

I can only repeat: I encourage everyone to CodeSign (with Hardened Runtime) each and every DebugRun on macOS, allowing you to develop and debug as close to a Release Build as possible.

@Jürg Otter It would be nice if we could do this from within Xojo, as part of the build process. That would be awesome … Some automated feature running the command lines in the background …

That’s been on people’s want list since at least RealStudio 2012 <https://xojo.com/issue/20338>

You can do this yourself with a Post Build Script meanwhile.
Here is an example project