App Notarization: Enable Hardened Runtime in Helper

Question

App Notarization: Enable Hardened Runtime in Helper

Closed this issue 6 years ago · 2 comments

While the LaunchAtLoginHelper target's ENABLE_HARDENED_RUNTIME is set to "Yes", Xcode rejects my app's binary for upload:

"LaunchAtLoginHelper.app" must be rebuilt with support for the Hardened Runtime. Enable the Hardened Runtime capability in the project editor, then test your app, rebuild your archive, and upload again.

The folks at Sparkle suffered from a similar problem: sparkle-project/Sparkle#1266

Code-signing after embedding the framework did the trick for them: sparkle-project/Sparkle#1266 (comment)

The difference to this framework here is that they did sign both the app and the framework. But neither worked for me with regard to LaunchAtLogin.

From what I gather, the current settings or the addition of an additional codesign call to the framework should do the trick, but no such luck.

Signing framework and app again

For reference, I modified the script to

reuse the path to LaunchAtLogin.framework and sign the framework at the end
add the --deep option to the helper signing steps

#!/bin/bash

framework_path="$BUILT_PRODUCTS_DIR/$FRAMEWORKS_FOLDER_PATH/LaunchAtLogin.framework"
origin_helper_path="$framework_path/Resources/LaunchAtLoginHelper.app"
helper_dir="$BUILT_PRODUCTS_DIR/$CONTENTS_FOLDER_PATH/Library/LoginItems"
helper_path="$helper_dir/LaunchAtLoginHelper.app"

rm -rf "$helper_path"
mkdir -p "$helper_dir"
cp -rf "$origin_helper_path" "$helper_dir/"

defaults write "$helper_path/Contents/Info" CFBundleIdentifier -string "$PRODUCT_BUNDLE_IDENTIFIER-LaunchAtLoginHelper"

if [[ -z ${CODE_SIGN_ENTITLEMENTS} ]];
then
    codesign --verbose --force -o runtime --deep --sign="$EXPANDED_CODE_SIGN_IDENTITY_NAME" "$helper_path"
else
    codesign --verbose --force --entitlements="$CODE_SIGN_ENTITLEMENTS" -o runtime --deep --sign="$EXPANDED_CODE_SIGN_IDENTITY_NAME" "$helper_path"
fi

if [[ $CONFIGURATION == "Release" ]]; then
	rm -rf "$origin_helper_path"
	rm "$(dirname "$origin_helper_path")/copy-helper.sh"
fi

codesign --verbose --force -o runtime --sign "$EXPANDED_CODE_SIGN_IDENTITY_NAME" "$framework_path/Versions/A"

Answer 1 · 2018-12-10T14:57:11.000Z

The error went away after upgrading my dev system to Mojave.

Answer 2 · 2018-12-29T09:40:47.000Z

It reappeared recently and I was able to get past the problem by ditching Carthage and using the CocoaPods version instead (maybe it's Carthage's build commands, I don't know).

I also had to add a separate signing step afterwards, though, as a quick-fix for the signing issues after copying the helper app bundle using the script.

LOCATION="$BUILT_PRODUCTS_DIR/$CONTENTS_FOLDER_PATH/Library/LoginItems/LaunchAtLoginHelper.app"

# By default, use the configured code signing identity for the project/target
IDENTITY="${CODE_SIGN_IDENTITY}"
if [ "$IDENTITY" == "" ]
then
  # If a code signing identity is not specified, use ad hoc signing
  IDENTITY="-"
fi
echo "Hardening Launch At Login Helper with developer identity \"$IDENTITY\"..."
codesign --verbose --force --deep -o runtime --sign "$IDENTITY" "$LOCATION"