Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Enable hardened runtime for macOS #3383

Open
bradleySuira opened this issue Oct 12, 2018 · 9 comments

Comments

Projects
None yet
10 participants
@bradleySuira
Copy link

commented Oct 12, 2018

  • Version: ^20.28.4
  • Target: macOs

With the recent release of macOS Mojave, Apple give us the option to upload a macOS app to be notarized to distribute outside the AppStore to don't have any problem with Gatekeeper. I tried to figure out how to enable the hardened runtime for an Electron app but without success, the first option that I think, was entitlements but isn't, so have the option to enable hardened runtime will be a great feature for macOs distribution outside the AppStore.

I'm a web/mobile developer and don't have all the knowledge how is builded electron and if it's possible enable this feature, to I want to be humble and if this options is impossible to implement or crazy, my apologize in advance.

Refs:

Solution we'd like
If it's possible, have an option in the build configuration to enable the hardened runtime for mac os applications.

Alternatives considered
Not any at this time, but if we can have something similar to react-native, nativescript or cordova, where we have the option to access the native projects and tweak if its necessary will be great

Additional context
The hardened runtime only can be enabled with xcode, because is a flag in the project.pbxproj file and is only available trough native apps with xcode, so the xcodebuild tool when create the archive and sign the app, enable this flag. I don’t now how exactly electron works but I think that have like a template with a compiled app and the electron-builder for example, only replace and bundle the content inside.

Enable hardened runtime (macOS)


image
screen shot 2018-10-11 at 9 18 18 pm

@dariocravero

This comment has been minimized.

Copy link

commented Oct 20, 2018

I got a dmg generated with electron-builder to work by signing the package with --options runtime!

You can try it by changing electron-osx-sign somewhere here add a line like:

args.push('--options', 'runtime')

I spotted that after searching for the error the notarization service was giving me The executable was not signed with the CS_RUNTIME option. and finding this Cyberduck ticket and their fix.

Then to sign the app, run:

xcrun altool --notarize-app -f yourapp.dmg --primary-bundle-id appId -u your@user.com -p yourpassword

Take appId from what you defined in the build section of your package.json.

When it's done uploading it will output a UUID, run this command to check when it's done notarizing (it will also send you an email):

xcrun altool --notarization-info UUID -u your@user.com -p yourpassword

If it succeeded, you can then staple the package with:

xcrun stapler staple yourapp.dmg

The issue now is that the app crashes when signed like that. Here's the dump in case someone finds it handy.

I wonder if it works for anyone else? Will try on a dummy app when I get a chance.

@bimusiek

This comment has been minimized.

Copy link

commented Oct 22, 2018

Same issue for our app.
Dump here

Looks like initialisation of JS env is crashing

@bradleySuira

This comment has been minimized.

Copy link
Author

commented Oct 24, 2018

Thanks @dariocravero, awesome, I will try your suggestions, for now is not a priority for our app to be notarized but still necessary for the future, when I have results, I will share here in case that it helps to others.

Regards!

@rajivshah3

This comment has been minimized.

Copy link
Contributor

commented Dec 2, 2018

It looks like Hardened Runtime is now supported (electron-userland/electron-osx-sign#176). I haven't tried it in our app yet, but from looking at xamarin/xamarin-macios#4288 I think the com.apple.security.cs.allow-jit entitlement needs to be added in order for the JavaScript to work. If I can get our app to work I'll make a PR to electron-osx-sign and add support for the hardenedRuntime option in electron-builder

@noahott

This comment has been minimized.

Copy link

commented Dec 11, 2018

I'm having a problem with my app where when hardenedRuntime is enabled, the app will crash immediately upon launch without any visible error messages. If I launch from the command line I see this:

#
# Fatal error in , line 0
# Check failed: SetPermissions(area_start, area_size, PageAllocator::kReadWriteExecute).
#
#
#
#FailureMessage Object: 0x7ffee7d1f740Illegal instruction: 4

@zhaoterryy zhaoterryy added the mac label Dec 11, 2018

@bobby-stripe

This comment has been minimized.

Copy link

commented Feb 2, 2019

@noahott it looks like it failed to change the permissions on a section of memory to RWX (read/write/execute) -- as @rajivshah3 suggests you need to enable the "allow-jit" entitlement.

@gniezen

This comment has been minimized.

Copy link
Contributor

commented Mar 11, 2019

Not sure how helpful it is, but there is an electron-notarize module in electron-userland. It would be great if electron-builder can automatically notarize macOS apps during packaging!

@gcadmes

This comment has been minimized.

Copy link

commented Apr 25, 2019

@rajivshah3, regarding your last comment on December 1st 2018, have you added hardenedRuntime support to electron-builder? The documentation for electron-osx-sign has a "TODO" statement for electron-builder support.
Please let me know. thx

@chawei

This comment has been minimized.

Copy link

commented May 18, 2019

just realize this has been implemented in v20.41.0. thanks @loremattei!
7d5f952

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.