Notarization warning: The executable does not have the hardened runtime enabled.

Hi all,


I have a java application based on the Eclipse RCP Mars. I am trying to sign my app:


codesign  -s 'Some Developer ID Application' MyApp.app


During notarization I am getting the next error:

"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
...

{
  "severity": "error",
  "code": null,
  "path": "MyApp.app.zip/MyApp.app/Contents/MacOS/eclipse",
  "message": "The executable does not have the hardened runtime enabled.",
  "docUrl": null,
  "architecture": "x86_64"
  }


If I enable runtime the binary becomes broken:


codesign  -f --options=runtime -s 'Some Developer ID Application' MyApp.app


dlopen(/Users/zapletnev/Desktop/Scade.app/Contents/MacOS//../Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.1.300.v20150602-1417/eclipse_1611.so, 2): no suitable image found.  Did find:
  /Users/zapletnev/Desktop/Scade.app/Contents/MacOS//../Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.1.300.v20150602-1417/eclipse_1611.so: code signing blocked mmap() of '/Users/zapletnev/Desktop/Scade.app/Contents/MacOS//../Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.1.300.v20150602-1417/eclipse_1611.so'


I tried to notarize a default Eclipse Mars distribution and I found that it passed the validation. The same error 'The executable does not have the hardened runtime enabled' is displayed as a warning.


"status": "Accepted",
"statusSummary": "Ready for distribution",
...

{
  "severity": "warning",
  "code": null,
  "path": "Eclipse.app.zip/Eclipse.app/Contents/MacOS/eclipse",
  "message": "The executable does not have the hardened runtime enabled.",
  "docUrl": null,
  "architecture": "x86_64"
  },


1. Why is the same issue marked as a warning for Eclipse Mars and as an error for my application?

2. Why options=runtime break my binary and how I can fix it?

Replies

1. Why is the same issue marked as a warning for Eclipse Mars and as an error for my application?

The notarisation system lets you notarise existing code, even if that code doesn’t meet its standard security requirements. My best guess is that this code is hitting that legacy path. And, to be clear, that’s a guess, because we explicitly do not document all the criteria required to hit that path.

See the Notarize Your Preexisting Software section of Notarizing Your App Before Distribution for more background to this.

2. Why

options=runtime
break my binary and how I can fix it?

The hardened runtime enables a wide variety of additional security checks. It’s hard to say which one of these is causing the specific problem you’re seeing. A good way to investigate this is to disable all these security checks (see Hardened Runtime Entitlements), confirm that your app works, and then selectively re-enable them to see where things start to fail.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Have you tried adding these hardened runtime entitlements to your app?


  • com.apple.security.cs.allow-jit
  • com.apple.security.cs.allow-unsigned-executable-memory
  • com.apple.security.cs.disable-executable-page-protection


From your error message it looks like a memory-mapping issue related to a shared library. If allowing all of those work, then you could start removing them one-by-one to narrow down the entitlements.

Dear Quinn, i hope you still work at Apple, as your answer here in this forum is the closest I've found to someone who might be able to point me towards an answer.


How can build and notarize an OSX application bundle , containing a Java JRE

in my application bundle, that passes Apple's Notarization review ?


I am able to build the bundle, but the notarization fails, telling me I

need a hardened runtime, and that the various exectable binaries and .dylib's in the bundle

are not signed.


but I can't find any notes on the web about how to;


- find/build/ sign the required 'hardened runtime"

- how to sign the .dylib's used in the java JRE runtime

-how to sign the executables in the jRE (java, jrunscript, ..)


the JRE is built by me from oracles JDK 11


the app is a commercial product that's been running OSX and Windows for 15 years - until this February.


I have XCode installed, but do not use it for my work. I currently write code in Eclipse, and use ant to do my

builds.


If XCode will do what I need, I'm willing to learn how to set it up, but that seems difficult as XCode no longer

appears to support Java, except as an 'external builder' sort of project.

My app has around 500 java classes, and includes many public domain .jar files .


My current code signing commands look like this


an entitlement file containing:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.security.cs.allow-jit</key>

<true/>

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>

<true/>

<key>com.apple.security.cs.disable-executable-page-protection</key>

<true/>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

<key>com.apple.security.cs.allow-dyld-environment-variables</key>

<true/>

</dict>

</plist>



and this codesign command:


codesign --entitlements ${entitlements} \

--options=runtime \

--deep -vvv -f \

--sign ${identity} ${target}


thanks for any help you can provide,


Craig108

Most of the advice I have to give on this topic is contained in Signing a Mac Product For Distribution. Beyond that, the answers tend to be specific to the third-party tool you’re using. For example, if you’re Java runtime has been updated to use

MAP_JIT
, you should be able to get away with the most security entitlement,
com.apple.security.cs.allow-jit
. The only way to know for sure is to consult the support resources for that runtime.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Finally got this working with the answer provided here: https://stackoverflow.com/a/55716976/36510