[Interest] notarizing builds for Mac - enabling hardened runtime

Elvis Stansvik elvstone at gmail.com
Fri Jun 21 13:13:41 CEST 2019

Den fre 21 juni 2019 09:13Kai Köhne <Kai.Koehne at qt.io> skrev:

> > -----Original Message-----
> > From: Interest <interest-bounces at qt-project.org> On Behalf Of Hamish
> > Moffatt
> > Sent: Friday, June 21, 2019 8:42 AM
> > To: Qt Interest <interest at qt-project.org>
> > Subject: [Interest] notarizing builds for Mac - enabling hardened runtime
> >
> > Apple says that all apps will need to be notarized (viewed) by them to
> be run
> > on macOS 10.15 once released.
> >
> > Apps must have the hardened runtime enabled in Xcode before they can be
> > notarized.
> >
> > Is there any way to get qmake to enable that project option?
> I understand that the "hardened runtime" enabling happens at codesign time,
> so this should arguably be a feature of macdeployqt. It's not there yet
> though,
> at least according to https://bugreports.qt.io/browse/QTBUG-71291 .  If
> you're
> right that this will become mandatory for macOS 10.15, it arguably get a
> higher
> priority; feel free to comment, including a link to the source of this
> statement.
> For the time being, it seems you've to execute the codesign call yourself.

This is what I've done at work to prepare our builds for this. We use CMake
though and we're already running codesign manually.

The notarization is annoying and takes around 5 minutes for Apple to run
their virus scanners or whatever they're doing, so at the moment we're
doing it only on Git-tagged CI builds (releases), not on every commit. What
this gives us currently is that the macOS "do you want to run this" prompt
will say "Was scanned by Apple on blah blah and found to look good" or

Will be more annoying if/when macOS starts to demand notarized builds,
because then we'd need to do notarization of every commit, or force testers
that wants to test a random build to turn off that checking (which I assume
is still going to be possible through System Preferences).

Apple, sigh, I can understand and sympathize requiring signed builds, but
this mandatory "virus scanned by Apple" is a little silly. As a user I
trust the virus scanner I pick myself more than some blackbox process on
Apple HQ servers.


> Regards
> Kai
> _______________________________________________
> Interest mailing list
> Interest at qt-project.org
> https://lists.qt-project.org/listinfo/interest
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190621/52896cc3/attachment.html>

More information about the Interest mailing list