Distributing a command-line binary executable?

What is the proper way to create and distribute a makefile+clang compiled command-line binary tool so that Gatekeeper on a recipient's Mac running Catalina will allow the binary executable to run from the Terminal? Given I have a Developer ID, is there a way to Notarize some sort of container for the binary to allow the extracted command-line tool to be run?


Is there a way for someone not in the Apple Developer program (say an under-18 student in a class I am running) to send me a clang compiled binary that I can then run on my Mac running Catalina? iCloud seems to eat/bounce such binaries when attempting to send them via email.

Up vote post of hotpaw2 Down vote post of hotpaw2
4k views
Posted by
hotpaw2
Reply
Add a Comment

Accepted Reply

Or is there a way to notarize an executable binary without a hardened runtime? How?

Not really. In some circumstances the notarisation system will accept mis-signed programs (see Notarize Your Preexisting Software) but that’s not something that new software can rely on.

Is there a hardened runtime option for clang compiles?

Not in 

clang
, but in 
codesign
. Here’s a quick checklist:

  • Use the 10.9 or later SDK. Notarisation requires this because it confirms that your program is using modern code signing.

  • Make sure you specify a deployment target using 

    -mmacosx-version-min
    . This causes 
    clang
    to add the relevant Mach-O load command (
    LC_VERSION_MIN_MACOSX
    or 
    LC_BUILD_VERSION
    , depending on how far back you support) that’s required by the notarisation system to confirm that you’re built with the 10.9 or later SDK.

  • Pass 

    --timestamp
    to 
    codesign
    to get a secure timestamp.

  • Pass 

    -o runtime
    to 
    codesign
    to enable the hardened runtime.

  • If you need to opt out of specific hardened runtime features, put the relevant entitlements in a 

    .entitlements
    property list and pass that to 
    codesign
    via the 
    --entitlements
    option. See Hardened Runtime Entitlements for more on these entitlements.

  • Sign your tool with your Developer ID Application identity.

  • If you put the tool in a 

    .dmg
    , sign that with your Developer ID Application identity.

  • If you put the tool in a 

    .pkg
    , sign that with your Developer ID Installer identity.

  • Notarise the outermost container (for example, if you have a tool in a 

    .pkg
    on a 
    .dmg
    , notarise the 
    .dmg
    ).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

So I stuffed the binary executable of my macOS command-line utility into a dmg file, and tried to notarize it.

The first errors I got from notarization-info were:


"message": "The binary is not signed with a valid Developer ID certificate.",

"message": "The signature does not include a secure timestamp.",


So I ran codesign on the binary using my Developer ID, and rebuilt the dmg file.

Then I got this error:


"message": "The executable does not have the hardened runtime enabled.",


Is there a hardened runtime option for clang compiles? Where?

Or is there a way to notarize an executable binary without a hardened runtime? How?

Posted by
hotpaw2
Up vote reply of hotpaw2 Down vote reply of hotpaw2
Add a Comment

Or is there a way to notarize an executable binary without a hardened runtime? How?

Not really. In some circumstances the notarisation system will accept mis-signed programs (see Notarize Your Preexisting Software) but that’s not something that new software can rely on.

Is there a hardened runtime option for clang compiles?

Not in 

clang
, but in 
codesign
. Here’s a quick checklist:

  • Use the 10.9 or later SDK. Notarisation requires this because it confirms that your program is using modern code signing.

  • Make sure you specify a deployment target using 

    -mmacosx-version-min
    . This causes 
    clang
    to add the relevant Mach-O load command (
    LC_VERSION_MIN_MACOSX
    or 
    LC_BUILD_VERSION
    , depending on how far back you support) that’s required by the notarisation system to confirm that you’re built with the 10.9 or later SDK.

  • Pass 

    --timestamp
    to 
    codesign
    to get a secure timestamp.

  • Pass 

    -o runtime
    to 
    codesign
    to enable the hardened runtime.

  • If you need to opt out of specific hardened runtime features, put the relevant entitlements in a 

    .entitlements
    property list and pass that to 
    codesign
    via the 
    --entitlements
    option. See Hardened Runtime Entitlements for more on these entitlements.

  • Sign your tool with your Developer ID Application identity.

  • If you put the tool in a 

    .dmg
    , sign that with your Developer ID Application identity.

  • If you put the tool in a 

    .pkg
    , sign that with your Developer ID Installer identity.

  • Notarise the outermost container (for example, if you have a tool in a 

    .pkg
    on a 
    .dmg
    , notarise the 
    .dmg
    ).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Are you sure it is safe to run executable programs from students in your mac? This would risk your mac (or at least your account) to inadvertently run malware.

Posted by
adib
Up vote reply of adib Down vote reply of adib
Add a Comment

Of course not, But I assume unsafe executables would be covered by the institution's code-of-conduct (similar to weight room, machine shop, chem lab, bio-hazzard lab, etc. rules). In any case, many schools periodically wipe all their lab and library computers.

Posted by
hotpaw2
Up vote reply of hotpaw2 Down vote reply of hotpaw2
Add a Comment