Hardened Runtime vs. MAS & iOS Targets?

Hi, all!


I've been working on getting the hardened runtime enabled in the direct sale versions of our macOS apps. I successfully got it working and Apple's notarization service accepted the one app I've been working on.


However, we also sell Mac App Store versions of these apps, and we have shared framework projects that are also used in iOS apps. Each project has different targets depending on the platform and/or distribution channel.


If I activate the "Enable Hardened Runtime" setting at the root project level, will it have any negative effects on the non-DS and non-macOS targets in those projects?


Thanks!

Replies

Target level settings take precedence over project level, but if enabled at the project level, it may cause errors to be thrown when building/submitting iOS/non-macOS apps.


Did you enable via Capabilites, or via the 'Hardened Runtime' setting available in the Build Settings tab in All build setting section at the Target level?

I'm confused. I don't see any hardened runtime or Capabilties tab at the project level. I only have Info and Build Settings at the project level. Each target has its own Capabilties tab. I have hardened runtime enabled for the Developer ID build and disabled for the Mac App Store build. I didn't set it up this way on purpose. I just do the bare minimum as far as Apple requirements go. Apple doesn't require the hardened runtime for the Mac App Store so I'm not about to turn it on and risk something breaking.

There is an "Enable Hardened Runtime" setting on the Build Settings tab of macOS projects and targets.


However, Quinn recommeds using the Hardened Runtime section on the Capabilities tab of macOS targets (not projects). That tab is only present for app (and app-like) targets.


My main problem has been getting Sparkle properly built (with its deeply embedded XPCs and helper apps) so the app can get notarized.

So I manually have to enable the hardened runtime for helper apps embedded inside frameworks now? I can't submit an app to be notarized with Sparkle embedded because:


"Autoupdate.app" and "fileop" must be rebuilt with support for the Hardened Runtime. Enable the Hardened Runtime capability in the project editor, then test your app, rebuild your archive, and upload again.


I include a prebuilt copy of the framework in my project (i'm not building it from source as a subproject). Why can't "Code Sign on Copy" automatically handle this?