Skip to content

feat(cli): add macos hardened runtime signing config option#9318

Merged
FabianLars merged 8 commits intotauri-apps:devfrom
thewh1teagle:feat/cli/macos-signing-runtime-config
Jun 5, 2024
Merged

feat(cli): add macos hardened runtime signing config option#9318
FabianLars merged 8 commits intotauri-apps:devfrom
thewh1teagle:feat/cli/macos-signing-runtime-config

Conversation

@thewh1teagle
Copy link
Contributor

@thewh1teagle thewh1teagle commented Mar 31, 2024
edited
Loading

In macOS, when building dmg with ad-hoc signature, and the app depends on Frameworks (dynamic shared libraries, dylib files), they won't load and the app will crash with error message box.

I found that if we disable signing flag in macOS bundler passed from tauri-cli, it won't crash.
the flag which passed is --option runtime in tooling/bundler/src/bundle/macos/sign.rs#L210

crash log 
Termination Reason:    Namespace DYLD, Code 1 Library missing
Library not loaded: @rpath/libavcodec.60.dylib
Referenced from: <D007FD2C-8AD0-336A-944D-C186621D1CEF> /Volumes/VOLUME/vibe.app/Contents/MacOS/vibe
Reason: tried: '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' (code signature in <BEFA8967-6321-3361-9151-FF5EE424F751> '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' (code signature in <BEFA8967-6321-3361-9151-FF5EE424F751> '/Volumes/vibe/vibe.app/Contents/Frameworks/libavcodec.60.dylib' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs)
(terminated at launch; ignore backtrace)
man codesign 
     -o, --options flag,...
             During signing, specifies a set of option flags to be embedded in
             the code signature. The value takes the form of a comma-separated
             list of names (with no spaces). Alternatively, a numeric value
             can be used to directly specify the option mask (CodeDirectory
             flag word). See OPTION FLAGS below.

Flags:
             runtime              Preserve the hardened runtime version (-o
                                  runtime flag, --runtime-version option)
                                  instead of overriding or deriving the
                                  version.

This PR introduce a way to control the flag through tauri.conf.json:

  "bundle": {
    "macOS": {
      "signingIdentity": "-",
      "hardenedRuntime": false
    }
  }

I believe that macOS bundling process needs to be much more flexible.
Currently I have no other option to control the final signing of the app, and tauri enforce this runtime flag, as a result the final binary can't run and I can't publish it for macOS (arm).

meanwhile for testing the app, it's possible to resign it:

codesign --force --deep -s "-" /Applications/vibe.app
hdiutil create -format UDZO -srcfolder some_app.app signed.dmg

@thewh1teagle thewh1teagle requested a review from a team as a code owner March 31, 2024 21:04
@lucasfernog lucasfernog changed the title feat(cli): add macos signing config option feat(cli): add macos hardened runtime signing config option Apr 2, 2024
@thewh1teagle
Copy link
Contributor Author

thewh1teagle commented May 15, 2024

Just a gentle reminder: I'm currently unable to test my app build locally due to the damaged dmg release caused by the default hardened option. It's impacting my development process. Any chance we could prioritize merging the PR? Appreciate your attention to this matter!

FabianLars
FabianLars requested changes Jun 5, 2024
View reviewed changes
Copy link
Member

@FabianLars FabianLars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, just some smaller things and then it's good to go :)

@thewh1teagle
Copy link
Contributor Author

thewh1teagle commented Jun 5, 2024

Thanks for the review : - )
Edited as suggested

@FabianLars FabianLars merged commit 656a649 into tauri-apps:dev Jun 5, 2024
@github-actions github-actions bot mentioned this pull request Jun 5, 2024
Merged
pewsheen pushed a commit to pewsheen/tauri that referenced this pull request Jun 13, 2024
@thewh1teagle @lucasfernog @pewsheen
feat(cli): add macos hardened runtime signing config option (tauri-ap…
ecab164 
…ps#9318)

* feat(cli): add macos signing config option

* rename option to hardened_runtime

* chore(cli): use default true in hardened runtime config

---------

Co-authored-by: Lucas Nogueira <lucas@tauri.app>
@github-actions github-actions bot mentioned this pull request Jul 2, 2024
Merged
FabianLars added a commit that referenced this pull request Jul 4, 2024
@FabianLars @lucasfernog
feat(cli): add macos hardened runtime signing config option (#9318)
6938d0e 
* feat(cli): add macos signing config option

* rename option to hardened_runtime

* chore(cli): use default true in hardened runtime config

---------

Co-authored-by: Lucas Nogueira <lucas@tauri.app>
@FabianLars FabianLars mentioned this pull request Jul 4, 2024
Merged
amrbashir pushed a commit that referenced this pull request Jul 8, 2024
@FabianLars @lucasfernog
feat(cli): add macos hardened runtime signing config option (#9318) (#…
0aa0378 
…10199)

* feat(cli): add macos signing config option

* rename option to hardened_runtime

* chore(cli): use default true in hardened runtime config

---------

Co-authored-by: Lucas Nogueira <lucas@tauri.app>
@PJUllrich PJUllrich mentioned this pull request Jul 30, 2025
Closed
@WSH032 WSH032 mentioned this pull request Oct 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@FabianLars FabianLars FabianLars approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thewh1teagle @FabianLars @lucasfernog