feat(cli): add macos hardened runtime signing config option (#9318)

thewh1teagle · lucasfernog · web-flow · commit 656a64974468 · 2024-06-05T18:04:08.000+02:00
* feat(cli): add macos signing config option

* rename option to hardened_runtime

* chore(cli): use default true in hardened runtime config

---------

Co-authored-by: Lucas Nogueira &lt;lucas@tauri.app&gt;
diff --git a/.changes/hardened-runtime-option.md b/.changes/hardened-runtime-option.md
@@ -0,0 +1,8 @@
+---
+"tauri-bundler": patch:feat
+"@tauri-apps/cli": patch:feat
+"tauri-cli": patch:feat
+"tauri-utils": patch:feat
+---
+
+Added a configuration option to disable hardened runtime on macOS codesign.
diff --git a/core/tauri-config-schema/schema.json b/core/tauri-config-schema/schema.json
@@ -104,6 +104,7 @@
             }
           },
           "files": {},
+          "hardenedRuntime": true,
           "minimumSystemVersion": "10.13"
         },
         "targets": "all",
@@ -1683,6 +1684,7 @@
               }
             },
             "files": {},
+            "hardenedRuntime": true,
             "minimumSystemVersion": "10.13"
           },
           "allOf": [
@@ -2688,6 +2690,11 @@
             "null"
           ]
         },
+        "hardenedRuntime": {
+          "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: <https://developer.apple.com/documentation/security/hardened_runtime>",
+          "default": true,
+          "type": "boolean"
+        },
         "providerShortName": {
           "description": "Provider short name for notarization.",
           "type": [
diff --git a/core/tauri-utils/src/config.rs b/core/tauri-utils/src/config.rs
@@ -565,6 +565,11 @@ pub struct MacConfig {
   /// Identity to use for code signing.
   #[serde(alias = "signing-identity")]
   pub signing_identity: Option<String>,
+  /// Whether the codesign should enable [hardened runtime] (for executables) or not.
+  ///
+  /// [hardened runtime]: <https://developer.apple.com/documentation/security/hardened_runtime>
+  #[serde(alias = "hardened-runtime", default = "default_true")]
+  pub hardened_runtime: bool,
   /// Provider short name for notarization.
   #[serde(alias = "provider-short-name")]
   pub provider_short_name: Option<String>,
@@ -583,6 +588,7 @@ impl Default for MacConfig {
       minimum_system_version: minimum_system_version(),
       exception_domain: None,
       signing_identity: None,
+      hardened_runtime: true,
       provider_short_name: None,
       entitlements: None,
       dmg: Default::default(),
diff --git a/tooling/bundler/src/bundle/macos/sign.rs b/tooling/bundler/src/bundle/macos/sign.rs
@@ -205,7 +205,9 @@ fn try_sign(
     args.push(entitlements_path);
   }
 
-  if is_an_executable {
+  // add runtime flag by default
+
+  if is_an_executable && settings.macos().hardened_runtime {
     args.push("--options");
     args.push("runtime");
   }
diff --git a/tooling/bundler/src/bundle/settings.rs b/tooling/bundler/src/bundle/settings.rs
@@ -317,6 +317,10 @@ pub struct MacOsSettings {
   pub exception_domain: Option<String>,
   /// Code signing identity.
   pub signing_identity: Option<String>,
+  /// Preserve the hardened runtime version flag, see <https://developer.apple.com/documentation/security/hardened_runtime>
+  ///
+  /// Settings this to `false` is useful when using an ad-hoc signature, making it less strict.
+  pub hardened_runtime: bool,
   /// Provider short name for notarization.
   pub provider_short_name: Option<String>,
   /// Path to the entitlements.plist file.
diff --git a/tooling/cli/schema.json b/tooling/cli/schema.json
@@ -104,6 +104,7 @@
             }
           },
           "files": {},
+          "hardenedRuntime": true,
           "minimumSystemVersion": "10.13"
         },
         "targets": "all",
@@ -1683,6 +1684,7 @@
               }
             },
             "files": {},
+            "hardenedRuntime": true,
             "minimumSystemVersion": "10.13"
           },
           "allOf": [
@@ -2688,6 +2690,11 @@
             "null"
           ]
         },
+        "hardenedRuntime": {
+          "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: <https://developer.apple.com/documentation/security/hardened_runtime>",
+          "default": true,
+          "type": "boolean"
+        },
         "providerShortName": {
           "description": "Provider short name for notarization.",
           "type": [
diff --git a/tooling/cli/src/interface/rust.rs b/tooling/cli/src/interface/rust.rs
@@ -1362,6 +1362,7 @@ fn tauri_config_to_bundle_settings(
       minimum_system_version: config.macos.minimum_system_version,
       exception_domain: config.macos.exception_domain,
       signing_identity,
+      hardened_runtime: config.macos.hardened_runtime,
       provider_short_name,
       entitlements: config.macos.entitlements,
       info_plist_path: {

Original file line number	Diff line number	Diff line change
`@@ -205,7 +205,9 @@ fn try_sign(`
`205`	`205`	`args.push(entitlements_path);`
`206`	`206`	`}`
`207`	`207`
`208`		`- if is_an_executable {`
	`208`	`+ // add runtime flag by default`
	`209`	`+`
	`210`	`+ if is_an_executable && settings.macos().hardened_runtime {`
`209`	`211`	`args.push("--options");`
`210`	`212`	`args.push("runtime");`
`211`	`213`	`}`