Notarization failing even though hardened runtime enabled

g-mon · January 14, 2020, 9:18pm

{
  "logFormatVersion": 1,
  "jobId": "c7f0230e-a710-4f4e-a747-6d124a3382e5",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "Demo.zip",
  "uploadDate": "2020-01-14T21:12:23Z",
  "sha256": "e39a08f2643058cbefeed03d7b85d871ea5665d0f1eb62e1ff0e1ba61e8c50d9",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "Demo.zip/Demo.app/Contents/MacOS/Demo",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

I have hardened runtime enabled in ProJucer, but I still get the following error from Apple. Any ideas why?

railjonrogut · January 14, 2020, 9:31pm

Which version of Xcode are you using?

Rail

g-mon · January 14, 2020, 10:28pm

Xcode 11.3.1

g-mon · January 14, 2020, 10:43pm

Figured it out. It’s not enough to just enable hardened runtime in ProJucer since I sign afterwards. I need to add --option=runtime to my sign step.

My sign step is now codesign --force -s "$DEV_APP_ID" -v "Demo.app" --deep --strict --options=runtime and it works.

RustyPine · February 11, 2020, 4:28pm

Many thanks Mon! Saved me some wasted time. Also it’s prob a good idea to add in the --timestamp flag as well.

asimilon · February 11, 2020, 6:50pm

Yeah, it can’t hurt, the docs say that without that argument it will default to whatever the system has been set to (which is by default to use the timestamp server afaict), but being explicit is probably a good idea since notarisation will fail if the timestamp server isn’t used.

Site navigation

Notarization failing even though hardened runtime enabled

Further Information