Getting Ready for macOS’s Hardened Runtime and Notary

    With macOS Mojave, Apple introduced support for Hardened Runtime and Notary service. These two services are designed to improve application security on macOS. Recently Apple has stated:


    “Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.”



    Today will help you to understand new rules from the Xamarin point of view.
    This article in blog

    Security on macOS


    • Code Signing – On macOS GateKeeper requires application bundles to be cryptographically signed with a key from an Apple developer account.

      • This has been a requirement since macOS Lion (10.7).
      • Obtaining the correct keys and certificates can be difficult to get right the first time. So see the Xamarin.Mac signing documentation.
    • Hardened Runtime – This is a second layer of security introduced in macOS Mojave (10.14). By code signing with an additional flag the Cocoa runtime will apply a number of restrictions upon the application running.

      • For example, some restrictions include denying execution of self-modifying code or loading unsigned dynamic libraries.
      • Each category of restriction can be opt’ed out via the use of special entitlements.
    • Notary Service – This is a third layer of security also introduced in macOS Mojave (10.14). It is a code scanning service, which will scan your software for malicious content. To pass notary scanning, your application must have already opted into the hardened runtime.

    How to Get Started


    To get started preparing your application for these new requirements, here are some steps to take:



    Configure Your Entitlements


    Until we implement IDE support for the new options, two manual steps are needed:



    1. Open your Xamarin.Mac application .csproj in a text editor and add

      true

      to the Release section
    2. Open your entitlements.plist file in a text editor and add

      com.apple.security.cs.allow-jit

    Launch your application and test it out. If it crashes you may need additional entitlements from Apple.


    Notarize Your App


    To notarize you need to follow two steps:


    1. Uploading your build to the notary service
    2. Staple the Ticket to Your Application

    You’re all set! If you have any feedback regarding this process, we’d love to hear from you. Email david.ortinau@microsoft.com or add a comment on GitHub.



    David Ortinau
    David Ortinau

    Senior Program Manager, Mobile Developer Tools

    Also popular now: