[Interest] notarizing builds for Mac - enabling hardened runtime

Fri Jun 21 17:04:51 CEST 2019

Den fre 21 juni 2019 15:33Michael Jackson <mike.jackson at bluequartz.net>
skrev:

> *From: *Interest <interest-bounces at qt-project.org> on behalf of Elvis
> Stansvik <elvstone at gmail.com>
> *Date: *Friday, June 21, 2019 at 7:14 AM
> *To: *Kai Köhne <Kai.Koehne at qt.io>
> *Cc: *Qt Interest <interest at qt-project.org>
> *Subject: *Re: [Interest] notarizing builds for Mac - enabling hardened
> runtime
>
>
>
> Den fre 21 juni 2019 09:13Kai Köhne <Kai.Koehne at qt.io> skrev:
>
> > -----Original Message-----
> > From: Interest <interest-bounces at qt-project.org> On Behalf Of Hamish
> > Moffatt
> > Sent: Friday, June 21, 2019 8:42 AM
> > To: Qt Interest <interest at qt-project.org>
> > Subject: [Interest] notarizing builds for Mac - enabling hardened runtime
> >
> > Apple says that all apps will need to be notarized (viewed) by them to
> be run
> > on macOS 10.15 once released.
> >
> > Apps must have the hardened runtime enabled in Xcode before they can be
> > notarized.
> >
> > Is there any way to get qmake to enable that project option?
>
> I understand that the "hardened runtime" enabling happens at codesign time,
> so this should arguably be a feature of macdeployqt. It's not there yet
> though,
> at least according to https://bugreports.qt.io/browse/QTBUG-71291 .  If
> you're
> right that this will become mandatory for macOS 10.15, it arguably get a
> higher
> priority; feel free to comment, including a link to the source of this
> statement.
>
> For the time being, it seems you've to execute the codesign call yourself.
>
>
>
> This is what I've done at work to prepare our builds for this. We use
> CMake though and we're already running codesign manually.
>
>
>
> The notarization is annoying and takes around 5 minutes for Apple to run
> their virus scanners or whatever they're doing, so at the moment we're
> doing it only on Git-tagged CI builds (releases), not on every commit. What
> this gives us currently is that the macOS "do you want to run this" prompt
> will say "Was scanned by Apple on blah blah and found to look good" or
> something.
>
>
>
> Will be more annoying if/when macOS starts to demand notarized builds,
> because then we'd need to do notarization of every commit, or force testers
> that wants to test a random build to turn off that checking (which I assume
> is still going to be possible through System Preferences).
>
>
>
> Apple, sigh, I can understand and sympathize requiring signed builds, but
> this mandatory "virus scanned by Apple" is a little silly. As a user I
> trust the virus scanner I pick myself more than some blackbox process on
> Apple HQ servers.
>
>
>
> Elvis
>
>
>
>
> Regards
>
> Kai
>
>
>
>
>
> My guess is that macOS will allow you to “override” the need to have the
> app scanned just like you can do now by right-clicking the app and clicking
> “open”. They would have to or
>

Yes, I guess so. And I guess that is what we'll ask of our beta testers
(who regularly pull random builds to try out new features under
development) to do, since having to notarize each commit is a bit much. I
guess Apple will discourage such behavior anyway, considering the load it
would put on their infra if everyone did so.

Elvis

developers wouldn’t be able to run their own apps or testers wouldn’t be
> able to run test apps. I don’t think macOS has gone the full “App Store
> Only” model yet, those days are coming. Still it would be good to get a
> definitive answer through Apple docs as to whether Notarization is
> mandatory or just strongly encouraged.
>
>
>
> --
>
> Mike Jackson
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/interest/attachments/20190621/ecf60da5/attachment.html>