Getting ready for the Hardened Runtime and Notary Service on macOS Mojave
- Transfer
With macOS Mojave, Apple introduced support for the Hardened Runtime and Notary services. These two services are designed to enhance application security on macOS. Recently, the company said :
To begin preparing your application for these new requirements, follow these steps:
Until we implement IDE support for the new options, you must manually complete two steps:
Launch your application and test it. In the event of a failure, you may need additional rights from Apple.
For certification, you need to perform two steps:
All is ready! If you have any feedback regarding this process, we will be happy to hear from you. Email david.ortinau@microsoft.com or add a comment on GitHub .
Starting with macOS 10.14.5, all new or updated kernel extensions and all programs from developers who first mastered the distribution with Developer ID must be authenticated through Hardened Runtime and Notary to run. A future version of macOS will require certification by default for all programs.Today we will help you understand the new requirements from the point of view of Xamarin.
Security on macOS
- Code Signing - in macOS GateKeeper requires cryptographic signing of application packages using a key from an Apple developer account.
- This has been a requirement since macOS Lion (10.7).
- The first time it can be difficult to get the right keys and certificates, so see the Xamarin.Mac application signing documentation .
- Hardened Runtime is the second level of security introduced in macOS Mojave (10.14). When signing code with an additional flag, the Cocoa runtime will apply several restrictions to the running application.
- For example, some restrictions include refusing to execute self-modifying code or downloading unsigned dynamic libraries.
- Each category of restrictions can be disabled using special rights.
- Notary Service is the third level of security also introduced in macOS Mojave (10.14). This is a code scanning service that scans your software for malicious content. To pass a notary scan, your application must already have been tested in the Hardened Runtime.
How to start
To begin preparing your application for these new requirements, follow these steps:
- Open the application and make sure that the code signing with the entitlement file is enabled for release builds. Make sure the application starts successfully. If you encounter problems, follow the Xamarin.Mac application signing documentation .
- Download and install Xamarin.Mac 5.10 (d16-1) here .
Set Rights
Until we implement IDE support for the new options, you must manually complete two steps:
- Open the Xamarin.Mac .csproj application in a text editor and add it to the Release section.
- Open the file entitlements.plist in a text editor and add
Launch your application and test it. In the event of a failure, you may need additional rights from Apple.
Assure the application
For certification, you need to perform two steps:
All is ready! If you have any feedback regarding this process, we will be happy to hear from you. Email david.ortinau@microsoft.com or add a comment on GitHub .