[Interest] notarizing builds for Mac - enabling hardened runtime

Michael Jackson mike.jackson at bluequartz.net
Fri Jun 21 15:33:11 CEST 2019

From: Interest <interest-bounces at qt-project.org> on behalf of Elvis Stansvik <elvstone at gmail.com>
Date: Friday, June 21, 2019 at 7:14 AM
To: Kai Köhne <Kai.Koehne at qt.io>
Cc: Qt Interest <interest at qt-project.org>
Subject: Re: [Interest] notarizing builds for Mac - enabling hardened runtime


Den fre 21 juni 2019 09:13Kai Köhne <Kai.Koehne at qt.io> skrev:

> -----Original Message-----
> From: Interest <interest-bounces at qt-project.org> On Behalf Of Hamish
> Moffatt
> Sent: Friday, June 21, 2019 8:42 AM
> To: Qt Interest <interest at qt-project.org>
> Subject: [Interest] notarizing builds for Mac - enabling hardened runtime
> Apple says that all apps will need to be notarized (viewed) by them to be run
> on macOS 10.15 once released.
> Apps must have the hardened runtime enabled in Xcode before they can be
> notarized.
> Is there any way to get qmake to enable that project option?

I understand that the "hardened runtime" enabling happens at codesign time,
so this should arguably be a feature of macdeployqt. It's not there yet though,
at least according to https://bugreports.qt.io/browse/QTBUG-71291 .  If you're
right that this will become mandatory for macOS 10.15, it arguably get a higher 
priority; feel free to comment, including a link to the source of this statement.

For the time being, it seems you've to execute the codesign call yourself.


This is what I've done at work to prepare our builds for this. We use CMake though and we're already running codesign manually.


The notarization is annoying and takes around 5 minutes for Apple to run their virus scanners or whatever they're doing, so at the moment we're doing it only on Git-tagged CI builds (releases), not on every commit. What this gives us currently is that the macOS "do you want to run this" prompt will say "Was scanned by Apple on blah blah and found to look good" or something.


Will be more annoying if/when macOS starts to demand notarized builds, because then we'd need to do notarization of every commit, or force testers that wants to test a random build to turn off that checking (which I assume is still going to be possible through System Preferences).


Apple, sigh, I can understand and sympathize requiring signed builds, but this mandatory "virus scanned by Apple" is a little silly. As a user I trust the virus scanner I pick myself more than some blackbox process on Apple HQ servers.








My guess is that macOS will allow you to “override” the need to have the app scanned just like you can do now by right-clicking the app and clicking “open”. They would have to or developers wouldn’t be able to run their own apps or testers wouldn’t be able to run test apps. I don’t think macOS has gone the full “App Store Only” model yet, those days are coming. Still it would be good to get a definitive answer through Apple docs as to whether Notarization is mandatory or just strongly encouraged.



Mike Jackson


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190621/9e309a30/attachment.html>

More information about the Interest mailing list