[Interest] notarizing builds for Mac - enabling hardened runtime

Elvis Stansvik elvstone at gmail.com
Wed Jul 10 11:28:08 CEST 2019 

Den tis 9 juli 2019 kl 19:57 skrev Adam Light <aclight at gmail.com>:
>
>
>
> On Fri, Jun 21, 2019 at 12:13 AM Kai Köhne <Kai.Koehne at qt.io> wrote:
>>
>>
>> I understand that the "hardened runtime" enabling happens at codesign time,
>> so this should arguably be a feature of macdeployqt. It's not there yet though,
>> at least according to https://bugreports.qt.io/browse/QTBUG-71291 .  If you're
>> right that this will become mandatory for macOS 10.15, it arguably get a higher
>> priority; feel free to comment, including a link to the source of this statement.
>>
>> For the time being, it seems you've to execute the codesign call yourself.
>>
>
> Notarization is a requirement for macOS 10.15 (Catalina, currently in beta). See https://developer.apple.com/news/?id=06032019i for an official source of this requirement. In one of the WWDC 2019  talks about security and code signing/notarization, they mentioned that this was true for applications built (or maybe it's signed) after some date in early June. For example, Qt 4.9.2, released June 26, 2019, will not run on Catalina beta 3 without knowing how to work around the notarization requirement.

With "work around" do you mean from the user POV (e.g. somehow
disabling Gatekeeper, or Ctrl+Open, or something else) or from a
developer POV (so, having to notarize)?

I'd like to know if there is some reasonably simple way for users to
get around the requirement. We will not be able to notarize every
build we do, because of the time it takes. But at the same time we,
and our testers, must be able to test random builds from Git (we build
a .dmg for every commit) to try out in-progress features/bug fixes...
So I really hope there will be some way for the user to get around the
notarization requirement.

Elvis

>
> Note also that notarization is separate from hardened runtime. An application built with the 10.14 SDK or later must enable hardened runtime in order for it to be possible to notarize the application, but it is possible to notarize applications built with previous SDK versions for which hardened runtime did not exist.
>
> See my comment at https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111 for some links that are particularly helpful in describing all of the complexities involved in notarization and hardened runtime.
>
> Adam
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest

More information about the Interest mailing list