How to enable hardened runtime to an app without migrating to Xcode 10?

Question

I want to notarize my app and while notarizing I have received package invalid status for this "message": "The executable does not have the hardened runtime enabled.",

I am building the application in highsierra and Xcode 9.4.

I tried adding --options=runtime while code signing, but did not help to resolve the error.

Where you added `--options=runtime`? According to Apple, "Hardened runtime is available in the Capabilities pane of Xcode 10 or later, but you can enable the feature manually using earlier versions of Xcode, as long as you’re on macOS 10.13.6 or later. To do this, add the following flag to the OTHER_CODE_SIGN_FLAGS build setting:" This might be of help to you, https://stackoverflow.com/questions/53112078/how-to-upload-dmg-file-for-notarization-in-xcode — laocius, Jun 13 '19 at 02:31
make sure you don't modify the bundle after you code-signed it. else the signature becomes invalid. — dev_null, Feb 08 '20 at 21:15

score 3 · Answer 1 · answered Sep 14 '19 at 23:38

3

Use codesign. It has a --options=runtime flag.

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues

answered Sep 14 '19 at 23:38

seph

813
6
16

score 1 · Answer 2 · edited Sep 28 '20 at 22:52

the codesign option runtime means "make the signature compliant with a binary built withe hardened runtime". But your error message means that the binary was built without the hardened runtime enabled. Building code and signing it are two different things - you can't retroactively build when signing. You need to either use the + button on the left of the Signing & Capabilities tab to add the Hardened Runtime option, or if you're doing everything manually, go into the build settings and set ENABLE_HARDENED_RUNTIME to YES. When you verify the signature of your app, using:

codesign --display --verbose <path-to-app>

Look for the line beginning "codedirectory" and ensure that one of the flags listed is "runtime".

score 0 · Answer 3 · answered Jun 13 '19 at 02:39

If the message says "does not have the hardened runtime enabled.", then it is so. The option you added did not take effect for whatever reason.

Try run codesign in command line. Also try with --deep option. The message should tell you which executable does not have the hardened runtime enabled. Sign that specific executable separately before signing the whole app and check if that error goes away.

How to enable hardened runtime to an app without migrating to Xcode 10?

3 Answers3