2 Replies
      Latest reply on Aug 15, 2019 11:56 PM by adib
      zapletnev Level 1 Level 1 (0 points)

        Hi all,

         

        I have a java application based on the Eclipse RCP Mars. I am trying to sign my app:

         

        codesign  -s 'Some Developer ID Application' MyApp.app

         

        During notarization I am getting the next error:

        "statusSummary": "Archive contains critical validation errors",
        "statusCode": 4000,
        ...
        
        {
          "severity": "error",
          "code": null,
          "path": "MyApp.app.zip/MyApp.app/Contents/MacOS/eclipse",
          "message": "The executable does not have the hardened runtime enabled.",
          "docUrl": null,
          "architecture": "x86_64"
          }

         

        If I enable runtime the binary becomes broken:

         

        codesign  -f --options=runtime -s 'Some Developer ID Application' MyApp.app

         

        dlopen(/Users/zapletnev/Desktop/Scade.app/Contents/MacOS//../Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.1.300.v20150602-1417/eclipse_1611.so, 2): no suitable image found.  Did find:
          /Users/zapletnev/Desktop/Scade.app/Contents/MacOS//../Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.1.300.v20150602-1417/eclipse_1611.so: code signing blocked mmap() of '/Users/zapletnev/Desktop/Scade.app/Contents/MacOS//../Eclipse/plugins/org.eclipse.equinox.launcher.cocoa.macosx.x86_64_1.1.300.v20150602-1417/eclipse_1611.so'

         

        I tried to notarize a default Eclipse Mars distribution and I found that it passed the validation. The same error 'The executable does not have the hardened runtime enabled' is displayed as a warning.

         

        "status": "Accepted",
        "statusSummary": "Ready for distribution",
        ...
        
        {
          "severity": "warning",
          "code": null,
          "path": "Eclipse.app.zip/Eclipse.app/Contents/MacOS/eclipse",
          "message": "The executable does not have the hardened runtime enabled.",
          "docUrl": null,
          "architecture": "x86_64"
          },

         

        1. Why is the same issue marked as a warning for Eclipse Mars and as an error for my application?

        2. Why options=runtime break my binary and how I can fix it?

        • Re: Notarization warning: The executable does not have the hardened runtime enabled.
          eskimo Apple Staff Apple Staff (12,475 points)

          1. Why is the same issue marked as a warning for Eclipse Mars and as an error for my application?

          The notarisation system lets you notarise existing code, even if that code doesn’t meet its standard security requirements.  My best guess is that this code is hitting that legacy path.  And, to be clear, that’s a guess, because we explicitly do not document all the criteria required to hit that path.

          See the Notarize Your Preexisting Software section of Notarizing Your App Before Distribution for more background to this.

          2. Why options=runtime break my binary and how I can fix it?

          The hardened runtime enables a wide variety of additional security checks.  It’s hard to say which one of these is causing the specific problem you’re seeing.  A good way to investigate this is to disable all these security checks (see Hardened Runtime Entitlements), confirm that your app works, and then selectively re-enable them to see where things start to fail.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

          • Re: Notarization warning: The executable does not have the hardened runtime enabled.
            adib Level 1 Level 1 (0 points)

            Have you tried adding these hardened runtime entitlements to your app?

             

            • com.apple.security.cs.allow-jit
            • com.apple.security.cs.allow-unsigned-executable-memory
            • com.apple.security.cs.disable-executable-page-protection

             

            From your error message it looks like a memory-mapping issue related to a shared library. If allowing all of those work, then you could start removing them one-by-one to narrow down the entitlements.