Notarization failing even though hardened runtime enabled

{
  "logFormatVersion": 1,
  "jobId": "c7f0230e-a710-4f4e-a747-6d124a3382e5",
  "status": "Invalid",
  "statusSummary": "Archive contains critical validation errors",
  "statusCode": 4000,
  "archiveFilename": "Demo.zip",
  "uploadDate": "2020-01-14T21:12:23Z",
  "sha256": "e39a08f2643058cbefeed03d7b85d871ea5665d0f1eb62e1ff0e1ba61e8c50d9",
  "ticketContents": null,
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "Demo.zip/Demo.app/Contents/MacOS/Demo",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": null,
      "architecture": "x86_64"
    }
  ]
}

I have hardened runtime enabled in ProJucer, but I still get the following error from Apple. Any ideas why?

image729×217 13.2 KB

Which version of Xcode are you using?

Rail

Xcode 11.3.1

Figured it out. It’s not enough to just enable hardened runtime in ProJucer since I sign afterwards. I need to add --option=runtime to my sign step.

My sign step is now codesign --force -s "$DEV_APP_ID" -v "Demo.app" --deep --strict --options=runtime and it works.

Many thanks Mon! Saved me some wasted time. Also it’s prob a good idea to add in the --timestamp flag as well.

Yeah, it can’t hurt, the docs say that without that argument it will default to whatever the system has been set to (which is by default to use the timestamp server afaict), but being explicit is probably a good idea since notarisation will fail if the timestamp server isn’t used.

Quick question… is there a way to add that --timestamp flag in the Projucer project settings? I see ‘Other Code Signing Flags’ in Xcode but not in Projucer (5.4.7. Not updated to JUCE 6 yet).

If you click on the Xcode Exporter Release or Debug settings you’ll see ‘Custom Xcode Flags’, add this so the panel:

OTHER_CODE_SIGN_FLAGS= --options=runtime --timestamp

(this is with Projucer 5.4.7)

Awesome - thanks… I always wondered how to do that.