Getting Ready for macOS’s Hardened Runtime and Notary

David Ortinau

With macOS Mojave, Apple introduced support for Hardened Runtime and Notary service. These two services are designed to improve application security on macOS. Recently Apple has stated:

“Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.”

Security on macOS

To understand this, let’s break down the different layers of requirements:

  • Code Signing – On macOS GateKeeper requires application bundles to be cryptographically signed with a key from an Apple developer account.
    • This has been a requirement since macOS Lion (10.7).
    • Obtaining the correct keys and certificates can be difficult to get right the first time. So see the Xamarin.Mac signing documentation.
  • Hardened Runtime – This is a second layer of security introduced in macOS Mojave (10.14). By code signing with an additional flag the Cocoa runtime will apply a number of restrictions upon the application running.
    • For example, some restrictions include denying execution of self-modifying code or loading unsigned dynamic libraries.
    • Each category of restriction can be opt’ed out via the use of special entitlements.
  • Notary Service – This is a third layer of security also introduced in macOS Mojave (10.14). It is a code scanning service, which will scan your software for malicious content. To pass notary scanning, your application must have already opted into the hardened runtime.

How to Get Started

To get started preparing your application for these new requirements, here are some steps to take:

Configure Your Entitlements

Until we implement IDE support for the new options, two manual steps are needed:

  1. Open your Xamarin.Mac application .csproj in a text editor and add <UseHardenedRuntime>true</UseHardenedRuntime> to the Release section
  2. Open your entitlements.plist file in a text editor and add
    <key>com.apple.security.cs.allow-jit</key>
    <true/>

Launch your application and test it out. If it crashes you may need additional entitlements from Apple.

Notarize Your App

To notarize you need to follow two steps:

  1. Uploading your build to the notary service
  2. Staple the Ticket to Your Application

You’re all set! If you have any feedback regarding this process, we’d love to hear from you. Email david.ortinau@microsoft.com or add a comment on GitHub.

6 comments

Discussion is closed. Login to edit/delete existing comments.

  • Tenney, Barrett 0

    does this apply to mobile apps? or just mac apps

    • Chris HamonsMicrosoft employee 0

      This is macOS (desktop) only. iOS applications go through a full App Store Review instead.

  • Brian Boccia 0

    Is 5.10 still in preview? VSMac doesn’t show it as an available update on any channel.

  • damian mehers 0

    I’ve written a blog post that details in excrutiating details exactly what steps I needed to take to get my Mac app notarized, including some of the pitfalls I hit on the way: https://damian.fyi/2019/07/30/build-notarize-repeat/

  • damian mehers 0

    Building on this, I’ve written a blog post that details in excrutiating details exactly what steps I needed to take to get my Mac app notarized, including some of the pitfalls I hit on the way: https://damian.fyi/2019/07/30/build-notarize-repeat/

  • Rachel Kisler 0

    Hi David, Is it possible to Notarize macOS app as a part of the Azure Devops release pipeline?

Feedback usabilla icon