[Interest] notarizing builds for Mac - enabling hardened runtime

Andy asmaloney at gmail.com
Wed Jul 10 13:19:59 CEST 2019 

It sounds like not signing at all is still an option?

"Mac apps, installer packages, and kernel extensions *that are signed with
Developer ID* must also be notarized by Apple in order to run on macOS
Catalina."

Apple has made this way too complicated to be useful IMHO.

---
Andy Maloney  //  https://asmaloney.com
twitter ~ @asmaloney <https://twitter.com/asmaloney>



On Wed, Jul 10, 2019 at 5:28 AM Elvis Stansvik <elvstone at gmail.com> wrote:

> Den tis 9 juli 2019 kl 19:57 skrev Adam Light <aclight at gmail.com>:
> >
> >
> >
> > On Fri, Jun 21, 2019 at 12:13 AM Kai Köhne <Kai.Koehne at qt.io> wrote:
> >>
> >>
> >> I understand that the "hardened runtime" enabling happens at codesign
> time,
> >> so this should arguably be a feature of macdeployqt. It's not there yet
> though,
> >> at least according to https://bugreports.qt.io/browse/QTBUG-71291 .
> If you're
> >> right that this will become mandatory for macOS 10.15, it arguably get
> a higher
> >> priority; feel free to comment, including a link to the source of this
> statement.
> >>
> >> For the time being, it seems you've to execute the codesign call
> yourself.
> >>
> >
> > Notarization is a requirement for macOS 10.15 (Catalina, currently in
> beta). See https://developer.apple.com/news/?id=06032019i for an official
> source of this requirement. In one of the WWDC 2019  talks about security
> and code signing/notarization, they mentioned that this was true for
> applications built (or maybe it's signed) after some date in early June.
> For example, Qt 4.9.2, released June 26, 2019, will not run on Catalina
> beta 3 without knowing how to work around the notarization requirement.
>
> With "work around" do you mean from the user POV (e.g. somehow
> disabling Gatekeeper, or Ctrl+Open, or something else) or from a
> developer POV (so, having to notarize)?
>
> I'd like to know if there is some reasonably simple way for users to
> get around the requirement. We will not be able to notarize every
> build we do, because of the time it takes. But at the same time we,
> and our testers, must be able to test random builds from Git (we build
> a .dmg for every commit) to try out in-progress features/bug fixes...
> So I really hope there will be some way for the user to get around the
> notarization requirement.
>
> Elvis
>
> >
> > Note also that notarization is separate from hardened runtime. An
> application built with the 10.14 SDK or later must enable hardened runtime
> in order for it to be possible to notarize the application, but it is
> possible to notarize applications built with previous SDK versions for
> which hardened runtime did not exist.
> >
> > See my comment at
> https://bugreports.qt.io/browse/QTBUG-73398?focusedCommentId=468111&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-468111
> for some links that are particularly helpful in describing all of the
> complexities involved in notarization and hardened runtime.
> >
> > Adam
> > _______________________________________________
> > Interest mailing list
> > Interest at qt-project.org
> > https://lists.qt-project.org/listinfo/interest
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190710/d01f5570/attachment.html>

More information about the Interest mailing list