feat: add support for the mojave hardened runtime

electron · Oct 23, 2018 · ea4bc33 · ea4bc33
1 parent 0aa699d
commit ea4bc33
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -168,6 +168,11 @@ Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it
 Gatekeeper assessment is enabled by default on `darwin` platform.
 Default to `true`.
 
+`hardedRuntime` - *Boolean*
+
+Flag to enable the Mojave hardened runtime when signing the app.  Disabled by default, requires Xcode >= 10 and
+macOS >= 10.13.6.
+
 `identity` - *String*
 
 Name of certificate to use when signing.

diff --git a/bin/electron-osx-sign-usage.txt b/bin/electron-osx-sign-usage.txt
@@ -25,6 +25,10 @@ DESCRIPTION
     Flag to enable/disable Gatekeeper assessment after signing the app. Disabling it is useful for signing with self-signed certificates.
     Gatekeeper assessment is enabled by default on ``darwin'' platform.
 
+  --hardened-runtime
+    Flag to enable the Mojave hardened runtime when signing the app.  Disabled by default, requires Xcode >= 10 and macOS
+    >= 10.13.6.
+
   --help
     Flag to display all commands.
 

diff --git a/bin/electron-osx-sign.js b/bin/electron-osx-sign.js
@@ -7,7 +7,8 @@ var args = require('minimist')(process.argv.slice(2), {
     'help',
     'pre-auto-entitlements',
     'pre-embed-provisioning-profile',
-    'gatekeeper-assess'
+    'gatekeeper-assess',
+    'hardened-runtime'
   ],
   'default': {
     'pre-auto-entitlements': true,

diff --git a/sign.js b/sign.js
@@ -24,6 +24,8 @@ const ProvisioningProfile = require('./util-provisioning-profiles').Provisioning
 const preEmbedProvisioningProfile = require('./util-provisioning-profiles').preEmbedProvisioningProfile
 const preAutoEntitlements = require('./util-entitlements').preAutoEntitlements
 
+const osRelease = require('os').release()
+
 /**
  * This function returns a promise validating opts.binaries, the additional binaries to be signed along with the discovered enclosed components.
  * @function
@@ -82,7 +84,6 @@ function validateSignOptsAsync (opts) {
 function verifySignApplicationAsync (opts) {
   // Verify with codesign
   var compareVersion = require('compare-version')
-  var osRelease = require('os').release()
   debuglog('Verifying application bundle with codesign...')
 
   var promise = execFileAsync('codesign', [
@@ -155,6 +156,14 @@ function signApplicationAsync (opts) {
       if (opts.timestamp) {
         args.push('--timestamp=' + opts.timestamp)
       }
+      if (opts.hardenedRuntime || opts['hardened-runtime']) {
+        // 17.7.0 === 10.13.6
+        if (compareVersion(osRelease, '17.7.0') >= 0) {
+          args.push('--options', 'runtime')
+        } else {
+          debuglog('Not enabling hardened runtime, current macOS version too low, requires 10.13.6 and higher')
+        }
+      }
 
       var promise
       if (opts.entitlements) {