Enable hardened runtime for macOS

[bradleySuira]

• Version: ^20.28.4

• Target: macOs

With the recent release of macOS Mojave, Apple give us the option to upload a macOS app to be notarized to distribute outside the AppStore to don't have any problem with Gatekeeper. I tried to figure out how to enable the hardened runtime for an Electron app but without success, the first option that I think, was entitlements but isn't, so have the option to enable hardened runtime will be a great feature for macOs distribution outside the AppStore.

I'm a web/mobile developer and don't have all the knowledge how is builded electron and if it's possible enable this feature, to I want to be humble and if this options is impossible to implement or crazy, my apologize in advance.

Refs:

• Distribute outside the Mac App Store (macOS)
• Upload a macOS app to be notarized

Solution we'd like
If it's possible, have an option in the build configuration to enable the hardened runtime for mac os applications.

Alternatives considered
Not any at this time, but if we can have something similar to react-native, nativescript or cordova, where we have the option to access the native projects and tweak if its necessary will be great

Additional context
The hardened runtime only can be enabled with xcode, because is a flag in the project.pbxproj file and is only available trough native apps with xcode, so the xcodebuild tool when create the archive and sign the app, enable this flag. I don’t now how exactly electron works but I think that have like a template with a compiled app and the electron-builder for example, only replace and bundle the content inside.

Enable hardened runtime (macOS)

---

[dariocravero]

I got a dmg generated with electron-builder to work by signing the package with --options runtime!

You can try it by changing electron-osx-sign somewhere here add a line like:

args.push('--options', 'runtime')

I spotted that after searching for the error the notarization service was giving me The executable was not signed with the CS_RUNTIME option. and finding this Cyberduck ticket and their fix.

Then to sign the app, run:

xcrun altool --notarize-app -f yourapp.dmg --primary-bundle-id appId -u [email protected] -p yourpassword

Take appId from what you defined in the build section of your package.json.

When it's done uploading it will output a UUID, run this command to check when it's done notarizing (it will also send you an email):

xcrun altool --notarization-info UUID -u [email protected] -p yourpassword

If it succeeded, you can then staple the package with:

xcrun stapler staple yourapp.dmg

The issue now is that the app crashes when signed like that. Here's the dump in case someone finds it handy.

I wonder if it works for anyone else? Will try on a dummy app when I get a chance.

[bimusiek]

Same issue for our app.
Dump here

Looks like initialisation of JS env is crashing

[bradleySuira]

Thanks @dariocravero, awesome, I will try your suggestions, for now is not a priority for our app to be notarized but still necessary for the future, when I have results, I will share here in case that it helps to others.

Regards!

[rajivshah3]

It looks like Hardened Runtime is now supported (electron/osx-sign#176). I haven't tried it in our app yet, but from looking at dotnet/macios#4288 I think the com.apple.security.cs.allow-jit entitlement needs to be added in order for the JavaScript to work. If I can get our app to work I'll make a PR to electron-osx-sign and add support for the hardenedRuntime option in electron-builder

[noahott]

I'm having a problem with my app where when hardenedRuntime is enabled, the app will crash immediately upon launch without any visible error messages. If I launch from the command line I see this:

#
# Fatal error in , line 0
# Check failed: SetPermissions(area_start, area_size, PageAllocator::kReadWriteExecute).
#
#
#
#FailureMessage Object: 0x7ffee7d1f740Illegal instruction: 4

[bobby-stripe]

@noahott it looks like it failed to change the permissions on a section of memory to RWX (read/write/execute) -- as @rajivshah3 suggests you need to enable the "allow-jit" entitlement.

[gniezen]

Not sure how helpful it is, but there is an electron-notarize module in electron-userland. It would be great if electron-builder can automatically notarize macOS apps during packaging!

[gcadmes]

@rajivshah3, regarding your last comment on December 1st 2018, have you added hardenedRuntime support to electron-builder? The documentation for electron-osx-sign has a "TODO" statement for electron-builder support.
Please let me know. thx

[chawei]

just realize this has been implemented in v20.41.0. thanks @loremattei!
7d5f952

[develar]

https://kilianvalkhof.com/2019/electron/notarizing-your-electron-application/

21.0.10 (not yet released):

• set hardenedRuntime to true by default
• set gatekeeperAssess by default to false

I am fighting with Apple support to restore my account (bloody useless security questions), but I hope next week will be first-class support for notarization.

[noahott]

@noahott it looks like it failed to change the permissions on a section of memory to RWX (read/write/execute) -- as @rajivshah3 suggests you need to enable the "allow-jit" entitlement.

I've added the allow-jit entitlement, along with a few others and am still getting the same error on launch.

com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.cs.disable-library-validation
com.apple.security.cs.disable-executable-page-protection

Anything else you can think to try for this?

[idoodler]

@noahott Hi I am experiencing the same issue but with the mas-dev target. I discovered that the entitlements are returned as a binary plist, not as a plist.

The entitlements can be viewed with the following command: codesign -d --entitlements :- /Path/to/my.app

May this be an issue. I suspect Electron expects a plist instead of a bplist when setting the permissions.

Apple rejected our App because of a crash and I think its because of this issue. I just discovered the mas-dev target while debugging this issue.

Again, here ist he log I get:

#
# Fatal error in , line 0
# Check failed: SetPermissions(area_start, area_size, PageAllocator::kReadWriteExecute).
#
#
#
#FailureMessage Object: 0x7ffee4cfc5d0Illegal instruction: 4

There is no issue with the dmg version of the app, it is successfully notarized and signed. The mastarget isn't notarized, as it is not required. I just tried to also notarize the mas target, but still no success.

Any input on this issue.

[idoodler]

@noahott I just checked the "Console" Application (The one used for viewing log).

I discovered the following log entry (after filtering for the Application name):
failed to parse entitlements for MyApp[74469]: OSUnserializeXML: syntax error near line 1

Do you get the same log message?

[noahott]

@idoodler I'm not finding any console log messages with "OSUnserializeXML"

[noahott]

I added "entitlementsInherit": "entitlements.darwin.plist" and i no longer get the SetPermissions error, but my app still crashes with a different error now

cwd = process.cwd(); ^ Error: ENOENT: no such file or directory, uv_cwd

[idoodler]

@noahott thx for your reply. I already have set the property entitlementsInherit. The app in question is already deployed in the AppStore, but I am unable to push an update because of this odd behaviour. I opened an TSI at Apple. I think it‘s a Problem with the codesign tool from Apple.

[idoodler]

Just a follow up on my 'bplist' issue.

We abandoned the macOS application for quite some time, after an platform upgrade session (node.js, electron and its dependencies) everything semes to work again. So no 'bplist', but a proper 'plist'.