Notarization enable hardened runtime error

So we have been creating and distributing apps with the new notarization method for months now since Apple forced this extra step with Catalina. For months we have had no issues codesigning and notarizing our apps. At the beginning of this week all of the sudden when we try to notarize our apps we get this error message:


"The executable does not have the hardened runtime enabled."


In our Xcode project we do have hardened runtime enabled as well as Apple events and both have worked without a hitch. All of the sudden this week now we get that error above. So I thought I found a solution by adding the option in the codesignature like so :


sudo codesign --force --deep --options runtime --sign "Developer ID Application: MYID" "MYAPP.app"


This finally worked and allowed the app to be notarized succesfully. We thought we were in the clear. Then our customers contacted our customer support and we discovered that for only some people when they would try and run the app they would get a -1743 error indicating an issue with Apple Events being allowed. And when we test it there are no issues and it is only certain customers.


So at this point I am completely at a loss. I have put in a support ticket with apple technical support but who the **** knows how long that will take. Sometimes it takes them weeks to respond. How in the world does this start happening out of no where. If anyone else is experiencing the same issues let me know. I have tried testing on different Mac Calatina versions both release and beta developer. I have tried different versions of the latest Xcode. All have the same result now even though they were all working perfectly as of last week.

Up vote post of Eseye Down vote post of Eseye
2.7k views
Posted by
Eseye
Reply
Add a Comment

Replies

You should check if the hardened runtime is really enable in the build created with Xcode. Or are you resigning it manually? If so, you have to pass the runtime option, as you found out, and if you need to use apple event, you have to enable the apple events access option of hardened runtime.


Anyway it didn't happen out of nowhere. The grace period of notarization without the hardened runtime ended a few days ago. Check the hardeded runtime documentation and the one for entitlements: https://developer.apple.com/documentation/security/hardened_runtime_entitlements

Posted by
galad87
Up vote reply of galad87 Down vote reply of galad87
Add a Comment

Thanks I appreciate the help. Everything you suggested we already have set up in our apps. I will continue adding the --option runtime to our codesignature commands but i just wanted to make sure it didnt effect apple events becasue we need that or if there is another command to allow runtime and apple events. I do have it set up under Signing & Capabilities with hardened runtime cability added and the checkbox for Apple Events set as well as allowing Apple events in the info.plist

Posted by
Eseye
Up vote reply of Eseye Down vote reply of Eseye
Add a Comment

If you are callind codesign manually, it means you are resigning the app after Xcode already signed it. If you want to resign it, you have to do it properly, and pass the entitlements file to the codesign command too.

Posted by
galad87
Up vote reply of galad87 Down vote reply of galad87
Add a Comment

Dear Eseye,

Apple changed their codesigning / notarization policies , effective Feb 3.

I had code ready to distrubute to our customers that passed notarization on jan 28. I fixed a small bug on Feb 4, and notarization failed.


This might be what happened to you.


I'm sad to say I've no answers , only questions , as I'm thus far stopped dead in the water by the notarization requirements.


I've asked for help from apple, but only get polite non-answers, telling me they provide "administrative support", and then they

refer me to the code forums. As a developer, I feel totally abandoned by Apple.


If youve any tips or hints on how I can bundle and notarize a Java JRE in my app, I'd greatly appreciate any help I can get.

I don't use XCode - it doesn't seem to support Java anymore- but I'm willing to learn if it can get my Java app signed.


In particular, does anyone know how to set up the "hardened runtime" for a Java project ?


thank you,


Craig108

Posted by
Craig108
Up vote reply of Craig108 Down vote reply of Craig108
Add a Comment

Have you tried adding these into the entitlements of your Java app's application bundle:


<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>

Source from here.

Posted by
adib
Up vote reply of adib Down vote reply of adib
Add a Comment