Summary of the new feature/enhancement

Starting on macOS Catalina, all native binaries (command-line and GUI application), as well as all .pkg installer files, must be both code-signed and notarized by Apple, or the system will refuse to run them. Notarizing the .pkg file is easy, since it is already being signed. Notarizing the pwsh command-line tool, as well as the PowerShell.app wrapper application, will be harder. Note that while notarization is optional on macOS Mojave, it is still supported on that version. We do not (and, IMHO, should not) wait for Catalina’s release to start work on this important change.

Proposed technical implementation details

We will need to do the following:

1. Code-sign the pwsh apphost binary with a Developer ID certificate. For notarization to succeed, we must also enable Hardened Runtime on that binary by passing the -o runtime flag to the signing tool. We must also use an entitlements file (the correct contents of which are attached at the end of this issue), or else Hardened Runtime will disallow the binary from jitting code or loading third-party dynamic libraries.
2. Code-sign all *.dylib files with the Developer ID certificate that is used to sign the apphost binary. No other special steps are required here.
3. Code-sign the *.app launcher with the same Developer ID certificate, and enable Hardened Runtime on it as well. While no entitlements are required for the launcher app, we must rewrite the launcher’s main executable (which is currently a shell script) in Objective-C, as the macOS code signing process does not support applications with shell scripts as main executables.
4. Notarize all dylibs, the apphost binary, and the launcher app before including them into the installer. You can use xcrun altool and xcrun stapler to do this.
5. Notarize the *.pkg installer once it has been signed.

Note that the code-signing process is completely independent of the .NET build process, and can easily be run on a .NET CLI-generated apphost binary, as long as the apphost binary in question has been stamped with the appropriate path before it is signed. (After signing, any changes to the binary will invalidate the signature and render the file un-runnable.)

Entitlements for pwsh tool

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
</dict>
</plist>