Hi, currently I have a macOS app that contains an executable I compiled of openvpn, when I try to notarize the macOS application that contains openvpn I get the following error message.
Currently I compile openvpn like this for x86_64 (Intel): https://gist.github.com/lecksfrawen/fab1a1690ab7b80b4acac617cb5be403
Is there a way to add to autoconf (make && make install) something similar to cmake's XCODE_ATTRIBUTE_ENABLE_HARDENED_RUNTIME to allow the project to be compiled with the hardened runtime?
Or should I use Hardened Runtime exception in Signing & Capabilities in my main app?
Thanks.
The notary service requires that all main executables have the hardened runtime enabled. This includes your main app and any main executables embedded within it. Other main executable types included:
-
Helper apps
-
Helper tools
-
XPC Services
-
App extensions
-
System extensions
-
Service Management login items
If you build these nested items with Xcode, enable the hardened runtime using Signing & Capabilities. If you build these items without Xcode, enable the hardened runtime when you sign the code. See Signing a Mac Product For Distribution for details.
When signing third-party code that you embed in an Xcode project, you don’t necessarily have to sign with a signing identity. You can often get away with signing the code ad hoc (using - as the identity). Xcode will then re-sign the code as it exports your product. This re-signing process sets the signing identity but preserves other stuff, like the hardened runtime flag.
IMPORTANT Do not disable library validation unless you need to load third-party plug-ins. Disabling library validation makes it harder to pass Gatekeeper. To quote the docs:
Because library validation is such an important security-hardening feature, Gatekeeper runs extra security checks on programs that have it disabled.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
