Build with "hardened runtime"

[sreilly]

Original report by me.

---

I am trying to get my application notarized. To get it notarized, I have to codesign the application with '--options=runtime'. Apple has instructions to enable hardened runtime in xcode https://help.apple.com/xcode/mac/current/#/devf87a2ac8f But, how to build your app with 'hardened runtime' enabled with appbundler?

I can get my app pass the notarization by signing it with 'options=runtime', but I get the following error when trying to launch it from command line.

#!objective-c

2019-02-20 15:48:16.469 JavaAppLauncher[90049:21006788] int launch(char *, int, char **) Launchpath: /Users/taozhou/svn/myproject/client/build/distributions/test.app/Contents/PlugIns/jdk-11+28-jre/Contents/Home/lib/jli/libjli.dylib
2019-02-20 15:48:16.488 JavaAppLauncher[90049:21006799] int launch(char *, int, char **) Launchpath: /Users/taozhou/svn/myproject/client/build/distributions/test.app/Contents/PlugIns/jdk-11+28-jre/Contents/Home/lib/jli/libjli.dylib
Error occurred during initialization of VM
Could not reserve enough space in CodeHeap 'non-nmethods' (2496K)

[sreilly]

I've not yet tried to get my app notarised, but have learned a couple of lessons with codesigning for the mac app store that might apply. First, I'd recommend that the JDK folder under the PlugIns folder have a '.' in it. There was, and possibly still is, something about codesigning that fails when the subfolder doesn't have an extension, so I named it "vm.jdk" in mine and was able to proceed.

One other issue was that the codesigning, or maybe the verification of it when running, didn't like symlinks. For example, I had to remove the Contents/MacOS/libjli.dylib symlink in order to get the app bundle working with codesigning.

I'd be curious to know if either of those help, as I'll have to do notarisation soon too. Thanks!

[sreilly]

@sreilly I have already fixed all the signing issues and I can get my application to pass the notarization. The problem is that in order to pass the notarization you have to sign the app with 'options=runtime'; but the application cannot be run if signed with '--options=runtime'.

[sreilly]

Here's a similar issue, http://www.literatureandlatte.com/forum/viewtopic.php?p=277383&sid=d24f7fc3af77f4a2ad49d8fd00ab0b62 According to this thread, it could be some problem with apple.

I am building my app on Mojave 10.14.2. It passes notarization without any problem, but it cannot run on Mojave. However, if I copy the notarized app to a another Mac that runs Capitan, the application runs without problems.

[sreilly]

I've finally fixed the problem. I added the following entitilements and sign it with --entitlements.

#!xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <true/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
        <true/>
        <key>com.apple.security.cs.allow-dyld-environment-variables</key>
        <true/>
</dict>
</plist>