Getting Ready for macOS’s Hardened Runtime and Notary
With macOS Mojave, Apple introduced support for Hardened Runtime and Notary service. These two services are designed to improve application security on macOS. Recently Apple has stated:
“Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.”
Security on macOS
To understand this, let’s break down the different layers of requirements:
- Code Signing – On macOS GateKeeper requires application bundles to be cryptographically signed with a key from an Apple developer account.
- This has been a requirement since macOS Lion (10.7).
- Obtaining the correct keys and certificates can be difficult to get right the first time. So see the Xamarin.Mac signing documentation.
- Hardened Runtime – This is a second layer of security introduced in macOS Mojave (10.14). By code signing with an additional flag the Cocoa runtime will apply a number of restrictions upon the application running.
- For example, some restrictions include denying execution of self-modifying code or loading unsigned dynamic libraries.
- Each category of restriction can be opt’ed out via the use of special entitlements.
- Notary Service – This is a third layer of security also introduced in macOS Mojave (10.14). It is a code scanning service, which will scan your software for malicious content. To pass notary scanning, your application must have already opted into the hardened runtime.
How to Get Started
To get started preparing your application for these new requirements, here are some steps to take:
- Open your application and confirm that code-signing with an entitlement file is enabled for Release builds. Make sure your application launches successfully. Follow the Xamarin.Mac signing documentation if you run into any trouble.
- Download and install Xamarin.Mac 5.10 (d16-1) here.
Configure Your Entitlements
Until we implement IDE support for the new options, two manual steps are needed:
- Open your Xamarin.Mac application .csproj in a text editor and add <UseHardenedRuntime>true</UseHardenedRuntime> to the Release section
- Open your entitlements.plist file in a text editor and addXHTML12<key>com.apple.security.cs.allow-jit</key><true/>
Launch your application and test it out. If it crashes you may need additional entitlements from Apple.
Notarize Your App
To notarize you need to follow two steps: