Hi all,
Does anyone have some knowledge regarding enabling Hardened Runtime for OpenVPN? Starting Mac Mojave 10.14.5 Apple will force App Developers to notarize their apps. Since my app includes openvpn in the bundle I can't get it approved by Apple.
Thanks!
Mac Mojave Hardened Runtime
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu May 02, 2019 10:49 am
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Mac Mojave Hardened Runtime
Do you have any details for this, like a source ?ionutholbia wrote: ↑Thu May 02, 2019 10:53 amStarting Mac Mojave 10.14.5 Apple will force App Developers to notarize their apps.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu May 02, 2019 10:49 am
Re: Mac Mojave Hardened Runtime
Here you can find the apple documentation:
https://developer.apple.com/documentati ... guage=objc
https://developer.apple.com/documentati ... jc#3087734
Apple reported issues after uploading the package:
{
"logFormatVersion": 1,
"jobId": "c08645e2-fc56-4a84-ad57-ed6001c12201",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "vpn.pkg",
"uploadDate": "2019-04-30T12:49:30Z",
"sha256": "65dab4f9dcf728be04b22d7d5ab89e879e5296e645bbb0a0a8ce7c0f89324b90",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "vpn.pkg/****.pkg Contents/Payload/Applications/***/Contents/Resources/OpenVPN/openvpn",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
}
]
}
https://developer.apple.com/documentati ... guage=objc
https://developer.apple.com/documentati ... jc#3087734
Apple reported issues after uploading the package:
{
"logFormatVersion": 1,
"jobId": "c08645e2-fc56-4a84-ad57-ed6001c12201",
"status": "Invalid",
"statusSummary": "Archive contains critical validation errors",
"statusCode": 4000,
"archiveFilename": "vpn.pkg",
"uploadDate": "2019-04-30T12:49:30Z",
"sha256": "65dab4f9dcf728be04b22d7d5ab89e879e5296e645bbb0a0a8ce7c0f89324b90",
"ticketContents": null,
"issues": [
{
"severity": "error",
"code": null,
"path": "vpn.pkg/****.pkg Contents/Payload/Applications/***/Contents/Resources/OpenVPN/openvpn",
"message": "The executable does not have the hardened runtime enabled.",
"docUrl": null,
"architecture": "x86_64"
}
]
}
-
- OpenVpn Newbie
- Posts: 17
- Joined: Mon May 14, 2012 1:15 pm
Re: Mac Mojave Hardened Runtime
What does need to be done to have this hardened runtime?
- ecrist
- Forum Team
- Posts: 237
- Joined: Wed Nov 26, 2008 10:33 pm
- Location: Northern Minnesota, USA
- Contact:
Re: Mac Mojave Hardened Runtime
I found a link to Apple's knowledge base that may help: https://developer.apple.com/documentati ... ion_issues.
From that page:
From that page:
Enable the Hardened Runtime
Enable the hardened runtime capability as described in Enable hardened runtime (macOS). This adds security restrictions to your app by default while allowing you to ask for specific exceptions as needed. If you don’t enable the hardened runtime, notarization fails and reports an issue with the following message:
The executable does not have the hardened runtime enabled.
Hardened runtime is available in the Capabilities pane of Xcode 10 or later, but you can enable the feature manually using earlier versions of Xcode, as long as you’re on macOS 10.13.6 or later. To do this, add the following flag to the OTHER_CODE_SIGN_FLAGS build setting:
--options=runtime
If you need exceptions, manually add the entitlements to your app’s entitlements file. If you enable hardened runtime manually using an earlier version of macOS, make sure that you also test your app running on macOS 10.14 or later.
Important
You can notarize an app that you build with earlier versions of Xcode, but you must use Xcode 10 or later to actually perform the notarization. This is because the altool utility, which you use to perform notarization, only supports notarization starting in Xcode 10. See Customizing the Notarization Workflow.
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN
IRC: #openvpn, #openvpn-devel
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN
-
- OpenVpn Newbie
- Posts: 17
- Joined: Mon May 14, 2012 1:15 pm
Re: Mac Mojave Hardened Runtime
That sounds like when you bundle/build openvpn you should enable that flag. If you run into issues with that flag we can look what need to be improved/fixed.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu May 02, 2019 10:49 am
Re: Mac Mojave Hardened Runtime
Compiled TunnelBlick repository that uses OpenVPN source with Xcode 10.2.1 on Mojave and it worked fine after some adjustments . After that I signed it with codesign and enabled the flag (-o runtime). Package was approved by Apple now !
https://github.com/Tunnelblick/Tunnelblick
https://github.com/Tunnelblick/Tunnelblick