[Interest] notarizing builds for Mac - enabling hardened runtime

[Adam Light]

On Fri, Jun 21, 2019 at 12:13 AM Kai Köhne <Kai.Koehne at qt.io> wrote:

>
> I understand that the "hardened runtime" enabling happens at codesign time,
> so this should arguably be a feature of macdeployqt. It's not there yet
> though,
> at least according to https://bugreports.qt.io/browse/QTBUG-71291 .  If
> you're
> right that this will become mandatory for macOS 10.15, it arguably get a
> higher
> priority; feel free to comment, including a link to the source of this
> statement.
>
> For the time being, it seems you've to execute the codesign call yourself.
>
>
Notarization is a requirement for macOS 10.15 (Catalina, currently in
beta). See https://developer.apple.com/news/?id=06032019i for an official
source of this requirement. In one of the WWDC 2019  talks about security
and code signing/notarization, they mentioned that this was true for
applications built (or maybe it's signed) after some date in early June.
For example, Qt 4.9.2, released June 26, 2019, will not run on Catalina
beta 3 without knowing how to work around the notarization requirement.

Note also that notarization is separate from hardened runtime. An
application built with the 10.14 SDK or later must enable hardened runtime
in order for it to be possible to notarize the application, but it is
possible to notarize applications built with previous SDK versions for
which hardened runtime did not exist.

See my comment at
https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111
for
some links that are particularly helpful in describing all of the
complexities involved in notarization and hardened runtime.

Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190709/b70f5664/attachment.html>