Getting ready for the Hardened Runtime and Notary Service on macOS Mojave

Original author: David Ortinau, Chris Hamons
  • Transfer
With macOS Mojave, Apple introduced support for the Hardened Runtime and Notary services. These two services are designed to enhance application security on macOS. Recently, the company said :
Starting with macOS 10.14.5, all new or updated kernel extensions and all programs from developers who first mastered the distribution with Developer ID must be authenticated through Hardened Runtime and Notary to run. A future version of macOS will require certification by default for all programs.
Today we will help you understand the new requirements from the point of view of Xamarin.


Security on macOS


  • Code Signing - in macOS GateKeeper requires cryptographic signing of application packages using a key from an Apple developer account.

    1. This has been a requirement since macOS Lion (10.7).
    2. The first time it can be difficult to get the right keys and certificates, so see the Xamarin.Mac application signing documentation .

  • Hardened Runtime is the second level of security introduced in macOS Mojave (10.14). When signing code with an additional flag, the Cocoa runtime will apply several restrictions to the running application.

    1. For example, some restrictions include refusing to execute self-modifying code or downloading unsigned dynamic libraries.
    2. Each category of restrictions can be disabled using special rights.

  • Notary Service is the third level of security also introduced in macOS Mojave (10.14). This is a code scanning service that scans your software for malicious content. To pass a notary scan, your application must already have been tested in the Hardened Runtime.

How to start


To begin preparing your application for these new requirements, follow these steps:


Set Rights


Until we implement IDE support for the new options, you must manually complete two steps:

  1. Open the Xamarin.Mac .csproj application in a text editor and add it imageto the Release section.
  2. Open the file entitlements.plist in a text editor and add image

Launch your application and test it. In the event of a failure, you may need additional rights from Apple.

Assure the application


For certification, you need to perform two steps:

  1. Upload assembly to Notary Service
  2. Attach a ticket to the application

All is ready! If you have any feedback regarding this process, we will be happy to hear from you. Email david.ortinau@microsoft.com or add a comment on GitHub .

Also popular now: