Notarization failing even though hardened runtime enabled

{
  "logFormatVersion": 1,
  "jobId": "c7f0230e-a710-4f4e-a747-6d124a3382e5",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "Demo.zip",
  "uploadDate": "2020-01-14T21:12:23Z",
  "sha256": "e39a08f2643058cbefeed03d7b85d871ea5665d0f1eb62e1ff0e1ba61e8c50d9",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "Demo.zip/Demo.app/Contents/MacOS/Demo",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

I have hardened runtime enabled in ProJucer, but I still get the following error from Apple. Any ideas why?

Which version of Xcode are you using?

Rail

Xcode 11.3.1

Figured it out. It’s not enough to just enable hardened runtime in ProJucer since I sign afterwards. I need to add --option=runtime to my sign step.

My sign step is now codesign --force -s "$DEV_APP_ID" -v "Demo.app" --deep --strict --options=runtime and it works.

8 Likes

Many thanks Mon! Saved me some wasted time. Also it’s prob a good idea to add in the --timestamp flag as well.

Yeah, it can’t hurt, the docs say that without that argument it will default to whatever the system has been set to (which is by default to use the timestamp server afaict), but being explicit is probably a good idea since notarisation will fail if the timestamp server isn’t used.

1 Like