10

My project needs the Ghostscript to do lots of tasks, so I have added the gs CLI tool into my project resource. However when I tried to notarize the project application, Xcode shows me this:

enter image description here

I assume that might because the ghostscript portable CLI is a 3rd-party program from the internet and which doesn't have a codesign, also it has not been enabled the hardened runtime. On the latest MacOS Mojave I have to notarize applications to avoid the gatekeeper shows warnings during the user opens the DMG file. But it seems the notarizing is hard to pass if the application contains a 3rd-party CLI.

Is there a solution for this?

Cœur
  • 37,241
  • 25
  • 195
  • 267
SuperBerry
  • 1,193
  • 1
  • 12
  • 28

2 Answers2

24

I found the solution finally. Sign the CLI this way:

codesign --force --options runtime --sign "Developer ID Application: COMPANYNAME" ./CLITool

Then I successfully archived the Application and uploaded to Apple to notarize.

SuperBerry
  • 1,193
  • 1
  • 12
  • 28
  • 1
    How does this fullfil the hardening requirements? – tresf Oct 21 '18 at 13:33
  • 6
    I think it would be "--options runtime". Since I signed the command tool by this, it works. – SuperBerry Oct 21 '18 at 13:38
  • 1
    Thanks for clarification. Where did you find this information/parameter(s)? I assume it will coincide with this? https://help.apple.com/xcode/mac/current/en.lproj/Art/ca_enablehardenedruntime.png – tresf Oct 21 '18 at 13:42
  • 1
    @tresf https://forum.xojo.com/49408-10-14-hardened-runtime-and-app-notarization/0 – SuperBerry Oct 21 '18 at 13:50
  • Adding "--options runtime" to codesign solved the problem. Thanks. – Tushar Feb 20 '20 at 14:37
  • My app's mac executable developed via maven (java project). Then I used codesign command with `--option=runtime` for notarization. But if I sign with `--option=runtime`my app doesn't run. Showing `The [APP_NAME] executable launcher was unable to locate its companion shared library.` – iamcrypticcoder Mar 12 '20 at 11:22
2

The enable hardened runtime is achieved via --options runtime.

I found this guide to be very helpful with the notarization and code signing process for app distribution outside the mac store.

I had an issue with my app crashing after enabling hardened runtime for it tho. This comment and this other one helped me with my issue at the time.

Edgardo Rodríguez
  • 416
  • 5
  • 10