For a unit test, we are building a (non-bundled) test executable with the ENABLE_HARDENED_RUNTIME build setting enabled (set to "YES"), which eventually causes codesign to be run with the "--option runtime" setting.
The resulting binary has the "hardening" bit (0x1000) set in the code signature and there are no exceptions per entitlements.
In our unit test, we launch the test executable, obtain a SecCodeRef to the (dynamic) code using SecCodeCopyGuestWithAttributes() and inspect the flags in the signing information. We expect both kSecCodeStatusHard and kSecCodeStatusKill to be set for this code.
When building and testing locally, this is always the case. When building and testing in our build pipeline, this is mostly the case, but every now and then, the test fails, because both "hard" and "kill" flags are missing from the signing information.
It is my understanding that the "runtime" option (or the "hardening" bit in the signature) causes those two flags to be set when the code executes - is this incorrect or not guaranteed?
If OTOH this is a correct understanding I would also assume that those flags are being set before the executable enters its main() function?
Any explanation why we sometimes don't see those flags in the SecCodeRef for the guest code?