{"id":43914,"date":"2019-04-15T09:11:14","date_gmt":"2019-04-15T16:11:14","guid":{"rendered":"http:\/\/devblogs.microsoft.com\/xamarin\/?p=43914"},"modified":"2019-08-30T08:32:35","modified_gmt":"2019-08-30T15:32:35","slug":"macos-hardened-runtime-notary","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/xamarin\/macos-hardened-runtime-notary\/","title":{"rendered":"Getting Ready for macOS\u2019s Hardened Runtime and Notary"},"content":{"rendered":"<p>With macOS Mojave, Apple introduced support for Hardened Runtime and Notary service. These two services are designed to improve application security on macOS. Recently <a href=\"https:\/\/developer.apple.com\/documentation\/security\/notarizing_your_app_before_distribution?language=objc\">Apple has stated<\/a>:<\/p>\n<blockquote><p>&#8220;Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.&#8221;<\/p><\/blockquote>\n<h2>Security on macOS<\/h2>\n<p>To understand this, let\u2019s break down the different layers of requirements:<\/p>\n<ul>\n<li>Code Signing &#8211; On macOS <a href=\"https:\/\/developer.apple.com\/developer-id\/\">GateKeeper<\/a> requires application bundles to be cryptographically signed with a key from an Apple developer account.\n<ul>\n<li>This has been a requirement since macOS Lion (10.7).<\/li>\n<li>Obtaining the correct keys and certificates can be difficult to get right the first time. So see the <a href=\"https:\/\/docs.microsoft.com\/en-us\/xamarin\/mac\/deploy-test\/publishing-to-the-app-store\/signing\">Xamarin.Mac signing documentation<\/a>.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/security\/hardened_runtime_entitlements?language=objc\">Hardened Runtime<\/a> &#8211; This is a second layer of security introduced in macOS Mojave (10.14). By code signing with an additional flag the Cocoa runtime will apply a number of restrictions upon the application running.\n<ul>\n<li>For example, some restrictions include denying execution of self-modifying code or loading unsigned dynamic libraries.<\/li>\n<li>Each category of restriction can be opt\u2019ed out via the use of special entitlements.<\/li>\n<\/ul>\n<\/li>\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/security\/notarizing_your_app_before_distribution?language=objc\">Notary Service<\/a> &#8211; This is a third layer of security also introduced in macOS Mojave (10.14). It is a code scanning service, which will scan your software for malicious content. To pass notary scanning, your application must have already opted into the hardened runtime.<\/li>\n<\/ul>\n<h3>How to Get Started<\/h3>\n<p>To get started preparing your application for these new requirements, here are some steps to take:<\/p>\n<ul>\n<li>Open your application and confirm that code-signing with an entitlement file is enabled for Release builds. Make sure your application launches successfully. Follow the <a href=\"https:\/\/docs.microsoft.com\/en-us\/xamarin\/mac\/deploy-test\/publishing-to-the-app-store\/signing\">Xamarin.Mac signing documentation<\/a> if you run into any trouble.<\/li>\n<li>Download and install <a href=\"https:\/\/dl.xamarin.com\/uploads\/ukw5a1stfj5\/xamarin.mac-5.10.0.148.pkg\" target=\"_blank\" rel=\"noopener noreferrer\">Xamarin.Mac 5.10 (d16-1) here<\/a>.<\/li>\n<\/ul>\n<h3>Configure Your Entitlements<\/h3>\n<p>Until we implement IDE support for the new options, two manual steps are needed:<\/p>\n<ol>\n<li>Open your Xamarin.Mac application .csproj in a text editor and add <span class=\"lang:default decode:true crayon-inline\">&lt;UseHardenedRuntime&gt;true&lt;\/UseHardenedRuntime&gt;<\/span>\u00a0to the Release section<\/li>\n<li>Open your entitlements.plist file in a text editor and add\n<pre class=\"lang:xhtml decode:true\">&lt;key&gt;com.apple.security.cs.allow-jit&lt;\/key&gt;\r\n&lt;true\/&gt;<\/pre>\n<\/li>\n<\/ol>\n<p>Launch your application and test it out. If it crashes you may need <a href=\"https:\/\/developer.apple.com\/documentation\/security\/hardened_runtime_entitlements?language=objc\">additional entitlements<\/a> from Apple.<\/p>\n<h3>Notarize Your App<\/h3>\n<p>To notarize you need to follow two steps:<\/p>\n<ol>\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/security\/notarizing_your_app_before_distribution\/customizing_the_notarization_workflow?language=objc#3087734\">Uploading your build to the notary service<\/a><\/li>\n<li><a href=\"https:\/\/developer.apple.com\/documentation\/security\/notarizing_your_app_before_distribution\/customizing_the_notarization_workflow?language=objc#3087720\">Staple the Ticket to Your Application<\/a><\/li>\n<\/ol>\n<p>You&#8217;re all set! If you have any feedback regarding this process, we&#8217;d love to hear from you. Email <a href=\"mailto:david.ortinau@microsoft.com\">david.ortinau@microsoft.com<\/a> or\u00a0<a href=\"https:\/\/github.com\/xamarin\/xamarin-macios\/issues\/5896\">add a comment on GitHub<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>With macOS Mojave, Apple introduced support for Hardened Runtime and Notary service. These two services are designed to improve application security on macOS. Recently Apple has stated:<\/p>\n<p>\u201cBeginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.\u201d<\/p>\n","protected":false},"author":553,"featured_media":39167,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2,362,291],"tags":[3616],"class_list":["post-43914","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-developers","category-macos","category-xamarin-platform","tag-macos"],"acf":[],"blog_post_summary":"<p>With macOS Mojave, Apple introduced support for Hardened Runtime and Notary service. These two services are designed to improve application security on macOS. Recently Apple has stated:<\/p>\n<p>\u201cBeginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.\u201d<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/posts\/43914","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/users\/553"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/comments?post=43914"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/posts\/43914\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/media\/39167"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/media?parent=43914"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/categories?post=43914"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/xamarin\/wp-json\/wp\/v2\/tags?post=43914"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}