Mac Mojave Hardened Runtime

This forum is for general conversation and user-user networking.
Post Reply
ionutholbia
OpenVpn Newbie
Posts: 3
Joined: Thu May 02, 2019 10:49 am

Mac Mojave Hardened Runtime

Post by ionutholbia » Thu May 02, 2019 10:53 am

Hi all,

Does anyone have some knowledge regarding enabling Hardened Runtime for OpenVPN? Starting Mac Mojave 10.14.5 Apple will force App Developers to notarize their apps. Since my app includes openvpn in the bundle I can't get it approved by Apple.

Thanks!

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6135
Joined: Fri Jun 03, 2016 1:17 pm

Re: Mac Mojave Hardened Runtime

Post by TinCanTech » Thu May 02, 2019 11:44 am

ionutholbia wrote:
Thu May 02, 2019 10:53 am
Starting Mac Mojave 10.14.5 Apple will force App Developers to notarize their apps.
Do you have any details for this, like a source ?

ionutholbia
OpenVpn Newbie
Posts: 3
Joined: Thu May 02, 2019 10:49 am

Re: Mac Mojave Hardened Runtime

Post by ionutholbia » Thu May 02, 2019 12:03 pm

Here you can find the apple documentation:

https://developer.apple.com/documentati ... guage=objc
https://developer.apple.com/documentati ... jc#3087734

Apple reported issues after uploading the package:
{
"logFormatVersion": 1,
"jobId": "c08645e2-fc56-4a84-ad57-ed6001c12201",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "vpn.pkg",
"uploadDate": "2019-04-30T12:49:30Z",
"sha256": "65dab4f9dcf728be04b22d7d5ab89e879e5296e645bbb0a0a8ce7c0f89324b90",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "vpn.pkg/****.pkg Contents/Payload/Applications/***/Contents/Resources/OpenVPN/openvpn",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
}
]
}

plaisthos
OpenVPN User
Posts: 12
Joined: Mon May 14, 2012 1:15 pm

Re: Mac Mojave Hardened Runtime

Post by plaisthos » Thu May 02, 2019 1:27 pm

What does need to be done to have this hardened runtime?

User avatar
ecrist
Forum Team
Posts: 253
Joined: Wed Nov 26, 2008 10:33 pm
Location: Minneapolis, MN
Contact:

Re: Mac Mojave Hardened Runtime

Post by ecrist » Thu May 02, 2019 3:09 pm

I found a link to Apple's knowledge base that may help: https://developer.apple.com/documentati ... ion_issues.

From that page:
Enable the Hardened Runtime

Enable the hardened runtime capability as described in Enable hardened runtime (macOS). This adds security restrictions to your app by default while allowing you to ask for specific exceptions as needed. If you don’t enable the hardened runtime, notarization fails and reports an issue with the following message:

The executable does not have the hardened runtime enabled.

Hardened runtime is available in the Capabilities pane of Xcode 10 or later, but you can enable the feature manually using earlier versions of Xcode, as long as you’re on macOS 10.13.6 or later. To do this, add the following flag to the OTHER_CODE_SIGN_FLAGS build setting:
--options=runtime

If you need exceptions, manually add the entitlements to your app’s entitlements file. If you enable hardened runtime manually using an earlier version of macOS, make sure that you also test your app running on macOS 10.14 or later.
Important

You can notarize an app that you build with earlier versions of Xcode, but you must use Xcode 10 or later to actually perform the notarization. This is because the altool utility, which you use to perform notarization, only supports notarization starting in Xcode 10. See Customizing the Notarization Workflow.
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel Twitter: @ecrist
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN

plaisthos
OpenVPN User
Posts: 12
Joined: Mon May 14, 2012 1:15 pm

Re: Mac Mojave Hardened Runtime

Post by plaisthos » Thu May 02, 2019 4:10 pm

That sounds like when you bundle/build openvpn you should enable that flag. If you run into issues with that flag we can look what need to be improved/fixed.

ionutholbia
OpenVpn Newbie
Posts: 3
Joined: Thu May 02, 2019 10:49 am

Re: Mac Mojave Hardened Runtime

Post by ionutholbia » Fri May 03, 2019 6:52 am

Compiled TunnelBlick repository that uses OpenVPN source with Xcode 10.2.1 on Mojave and it worked fine after some adjustments :). After that I signed it with codesign and enabled the flag (-o runtime). Package was approved by Apple now !

https://github.com/Tunnelblick/Tunnelblick

Post Reply