Notarization does not require Hardened Runtime capability anymore

In the Notarizing Your App Before Distribution article it is explained that Hardened Runtime capability must be enabled before sending applications for notarization.


I have a project which has several issues (severity Error) like

    {
      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/MacOS/My App",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },

and

      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"

The issues are real and it is expected to have the application rejeted (see the output from Sep 3rd).


However, now I see that all issues are having severity Warning and the application is successfully notarized (see the output from Sep 4th).

      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/MacOS/My App",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },

and

      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },


My question, is there a change on the requirements for notarization? Can you provide more info regarding this change?








Full output of the app rejection on Sep 3:

{
  "logFormatVersion": 1,
  "jobId": "1134ee6a-ddf5-42cb-8eac-1ad32f3c2eee",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "My_App_19.3.0.zip",
  "uploadDate": "2019-09-03T16:23:45Z",
  "sha256": "8420e7a79194fc50dcc2985e945402457e28b1e6d98425177464591c12e4c7e8",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/MacOS/My App",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Library/LoginItems/MacAJLoginHelper.app/Contents/MacOS/MacAJLoginHelper",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}


Full output of the app rejection on Sep 4:

{
  "logFormatVersion": 1,
  "jobId": "53a3a994-feb3-47c2-ae49-c07d9e5eeb32",
  "status": "Accepted",
  "statusSummary": "Ready for distribution",
  "statusCode": 0,
  "archiveFilename": "My_App_19.3.0.zip",
  "uploadDate": "2019-09-04T08:43:41Z",
  "sha256": "40d07089a5c547a9e5eb03e42745021c6b6d72e2ee408ae93ab0a5125df7ac1a",
  "ticketContents": [
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/Current",
      "digestAlgorithm": "SHA-256",
      "cdhash": "8bb7d2435a8367f81bc098b4119df88e2e202335",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/OSLog.framework/Versions/Current",
      "digestAlgorithm": "SHA-256",
      "cdhash": "62c326ec4888d67ca9218a79ae3f38dc4452b37e",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app",
      "digestAlgorithm": "SHA-256",
      "cdhash": "5bf670eae6d355b700eda74019f3cbd3972b46d7",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/LetsMove.framework/Versions/Current",
      "digestAlgorithm": "SHA-256",
      "cdhash": "4a17292d52ba286a0c98e9057ed1a97a50766bfa",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Library/LoginItems/MacAJLoginHelper.app",
      "digestAlgorithm": "SHA-256",
      "cdhash": "faffcbceb138f7e4fb6e5390e141b807fb8413d5",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/MacOS/My App",
      "digestAlgorithm": "SHA-256",
      "cdhash": "5bf670eae6d355b700eda74019f3cbd3972b46d7",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Library/LoginItems/MacAJLoginHelper.app",
      "digestAlgorithm": "SHA-256",
      "cdhash": "faffcbceb138f7e4fb6e5390e141b807fb8413d5",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Library/LoginItems/MacAJLoginHelper.app/Contents/MacOS/MacAJLoginHelper",
      "digestAlgorithm": "SHA-256",
      "cdhash": "faffcbceb138f7e4fb6e5390e141b807fb8413d5",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Library/LoginItems/MacAJLoginHelper.app/Contents/MonoBundle/libMonoPosixHelper.dylib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "6c3966f3e8cdbddfb7261dd1b3e2ad25fa9774d7",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Library/LoginItems/MacAJLoginHelper.app/Contents/MonoBundle/libmono-native.dylib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "994ed8dac47d098f75fc7fada7137c113c432bda",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/MonoBundle/libMonoPosixHelper.dylib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "6c3966f3e8cdbddfb7261dd1b3e2ad25fa9774d7",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/MonoBundle/libmono-native.dylib",
      "digestAlgorithm": "SHA-256",
      "cdhash": "ba1d310dc0e6ae03f1ddbe5ebb710421d350842c",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Sparkle",
      "digestAlgorithm": "SHA-256",
      "cdhash": "8bb7d2435a8367f81bc098b4119df88e2e202335",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app",
      "digestAlgorithm": "SHA-256",
      "cdhash": "77cb733af3aeb450c3995f0679d3c6c725808958",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "digestAlgorithm": "SHA-256",
      "cdhash": "b835c0702d593846c048a9cb9a5591fc6aea2949",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate",
      "digestAlgorithm": "SHA-256",
      "cdhash": "77cb733af3aeb450c3995f0679d3c6c725808958",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/OSLog.framework/Versions/A/OSLog",
      "digestAlgorithm": "SHA-256",
      "cdhash": "62c326ec4888d67ca9218a79ae3f38dc4452b37e",
      "arch": "x86_64"
    },
    {
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/LetsMove.framework/Versions/A/LetsMove",
      "digestAlgorithm": "SHA-256",
      "cdhash": "4a17292d52ba286a0c98e9057ed1a97a50766bfa",
      "arch": "x86_64"
    }
  ],
  "issues": [
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/MacOS/My App",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Library/LoginItems/MacAJLoginHelper.app/Contents/MacOS/MacAJLoginHelper",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Library/LoginItems/MacAJLoginHelper.app/Contents/MonoBundle/libMonoPosixHelper.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Library/LoginItems/MacAJLoginHelper.app/Contents/MonoBundle/libmono-native.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/MonoBundle/libMonoPosixHelper.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/MonoBundle/libmono-native.dylib",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate",
      "message": "The binary is not signed.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate",
      "message": "The signature does not include a secure timestamp.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "warning",
      "code": null,
      "path": "My_App_19.3.0.zip/My App.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

Accepted Reply

I think that https://developer.apple.com/news/?id=09032019a explains what you're seeing.

Replies

I think that https://developer.apple.com/news/?id=09032019a explains what you're seeing.

Thank you!

I want to stress that this is just a temporary measure. That Developer News post makes it clear that these restrictions are coming back, and I encourage you to use this time to get your notarisation ducks in a row.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

When the lifted restrictions are reinstated, will deliverables that previously took advantage of the more permissive restrictions then need to be re-notarised under the stricter regime? Or is it an 'in before the lock' situation?

The idea behind these temporary restrictions is to take this time to fix any problems that are preventing successful notarization, not to just put off the inevitable breakage for a few more months.

For products under active development that makes sense, for discontinued products that it is courteous to notarise so that customers that may have chosen to stick with as they suit their needs and will want to still be able to install it is a different matter. This is the nature of the question.

If it is discontinued, then you shouldn't spend any more time on it. Otherwise, customers might expect to see bug fixes or new features too. Just update the support website with instructions on how to bypass Gatekeeper with a right click.

Thanks for the advice John, I understand your commercial position there, although it would still be good to know the official position relating to my technical query.