Enable hardened runtime for macOS

[bradleySuira]

• Version: ^20.28.4

• Target: macOs

With the recent release of macOS Mojave, Apple give us the option to upload a macOS app to be notarized to distribute outside the AppStore to don't have any problem with Gatekeeper. I tried to figure out how to enable the hardened runtime for an Electron app but without success, the first option that I think, was entitlements but isn't, so have the option to enable hardened runtime will be a great feature for macOs distribution outside the AppStore.

I'm a web/mobile developer and don't have all the knowledge how is builded electron and if it's possible enable this feature, to I want to be humble and if this options is impossible to implement or crazy, my apologize in advance.

Refs:

• Distribute outside the Mac App Store (macOS)
• Upload a macOS app to be notarized

Solution we'd like
If it's possible, have an option in the build configuration to enable the hardened runtime for mac os applications.

Alternatives considered
Not any at this time, but if we can have something similar to react-native, nativescript or cordova, where we have the option to access the native projects and tweak if its necessary will be great

Additional context
The hardened runtime only can be enabled with xcode, because is a flag in the project.pbxproj file and is only available trough native apps with xcode, so the xcodebuild tool when create the archive and sign the app, enable this flag. I don’t now how exactly electron works but I think that have like a template with a compiled app and the electron-builder for example, only replace and bundle the content inside.

Enable hardened runtime (macOS)

---

[dariocravero]

I got a dmg generated with electron-builder to work by signing the package with --options runtime!

You can try it by changing electron-osx-sign somewhere here add a line like:

args.push('--options', 'runtime')

I spotted that after searching for the error the notarization service was giving me The executable was not signed with the CS_RUNTIME option. and finding this Cyberduck ticket and their fix.

Then to sign the app, run:

xcrun altool --notarize-app -f yourapp.dmg --primary-bundle-id appId -u your@user.com -p yourpassword

Take appId from what you defined in the build section of your package.json.

When it's done uploading it will output a UUID, run this command to check when it's done notarizing (it will also send you an email):

xcrun altool --notarization-info UUID -u your@user.com -p yourpassword

If it succeeded, you can then staple the package with:

xcrun stapler staple yourapp.dmg

The issue now is that the app crashes when signed like that. Here's the dump in case someone finds it handy.

I wonder if it works for anyone else? Will try on a dummy app when I get a chance.

[bimusiek]

Same issue for our app.
Dump here

Looks like initialisation of JS env is crashing

[bradleySuira]

Thanks @dariocravero, awesome, I will try your suggestions, for now is not a priority for our app to be notarized but still necessary for the future, when I have results, I will share here in case that it helps to others.

Regards!

[rajivshah3]

It looks like Hardened Runtime is now supported (electron/osx-sign#176). I haven't tried it in our app yet, but from looking at dotnet/macios#4288 I think the com.apple.security.cs.allow-jit entitlement needs to be added in order for the JavaScript to work. If I can get our app to work I'll make a PR to electron-osx-sign and add support for the hardenedRuntime option in electron-builder

[noahott]

I'm having a problem with my app where when hardenedRuntime is enabled, the app will crash immediately upon launch without any visible error messages. If I launch from the command line I see this:

#
# Fatal error in , line 0
# Check failed: SetPermissions(area_start, area_size, PageAllocator::kReadWriteExecute).
#
#
#
#FailureMessage Object: 0x7ffee7d1f740Illegal instruction: 4

[bobby-stripe]

@noahott it looks like it failed to change the permissions on a section of memory to RWX (read/write/execute) -- as @rajivshah3 suggests you need to enable the "allow-jit" entitlement.

[gniezen]

Not sure how helpful it is, but there is an electron-notarize module in electron-userland. It would be great if electron-builder can automatically notarize macOS apps during packaging!

[gcadmes]

@rajivshah3, regarding your last comment on December 1st 2018, have you added hardenedRuntime support to electron-builder? The documentation for electron-osx-sign has a "TODO" statement for electron-builder support.
Please let me know. thx

[chawei]

just realize this has been implemented in v20.41.0. thanks @loremattei!
7d5f952