Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Enable hardened runtime for macOS

See original GitHub issue

Version: ^20.28.4

Target: macOs

With the recent release of macOS Mojave, Apple give us the option to upload a macOS app to be notarized to distribute outside the AppStore to don’t have any problem with Gatekeeper. I tried to figure out how to enable the hardened runtime for an Electron app but without success, the first option that I think, was entitlements but isn’t, so have the option to enable hardened runtime will be a great feature for macOs distribution outside the AppStore.

I’m a web/mobile developer and don’t have all the knowledge how is builded electron and if it’s possible enable this feature, to I want to be humble and if this options is impossible to implement or crazy, my apologize in advance.

Refs:

Solution we’d like If it’s possible, have an option in the build configuration to enable the hardened runtime for mac os applications.

Alternatives considered Not any at this time, but if we can have something similar to react-native, nativescript or cordova, where we have the option to access the native projects and tweak if its necessary will be great

Additional context The hardened runtime only can be enabled with xcode, because is a flag in the project.pbxproj file and is only available trough native apps with xcode, so the xcodebuild tool when create the archive and sign the app, enable this flag. I don’t now how exactly electron works but I think that have like a template with a compiled app and the electron-builder for example, only replace and bundle the content inside.

Enable hardened runtime (macOS)

screen shot 2018-10-11 at 9 18 18 pm

Issue Analytics

State:
Created 5 years ago
Reactions:17
Comments:17 (7 by maintainers)

Top GitHub Comments

6reactions

dariocraverocommented, Oct 20, 2018

I got a dmg generated with electron-builder to work by signing the package with --options runtime!

You can try it by changing electron-osx-sign somewhere here add a line like:

args.push('--options', 'runtime')

I spotted that after searching for the error the notarization service was giving me The executable was not signed with the CS_RUNTIME option. and finding this Cyberduck ticket and their fix.

Then to sign the app, run:

xcrun altool --notarize-app -f yourapp.dmg --primary-bundle-id appId -u your@user.com -p yourpassword

Take appId from what you defined in the build section of your package.json.

When it’s done uploading it will output a UUID, run this command to check when it’s done notarizing (it will also send you an email):

xcrun altool --notarization-info UUID -u your@user.com -p yourpassword

If it succeeded, you can then staple the package with:

xcrun stapler staple yourapp.dmg

The issue now is that the app crashes when signed like that. Here’s the dump in case someone finds it handy.

I wonder if it works for anyone else? Will try on a dummy app when I get a chance.

5reactions

rajivshah3commented, Dec 2, 2018

It looks like Hardened Runtime is now supported (https://github.com/electron-userland/electron-osx-sign/pull/176). I haven’t tried it in our app yet, but from looking at https://github.com/xamarin/xamarin-macios/issues/4288 I think the com.apple.security.cs.allow-jit entitlement needs to be added in order for the JavaScript to work. If I can get our app to work I’ll make a PR to electron-osx-sign and add support for the hardenedRuntime option in electron-builder