Microsoft corporate blog
Development for MacOS
Xamarin
April 25

Getting Ready for macOS’s Hardened Runtime and Notary

With macOS Mojave, Apple introduced support for Hardened Runtime and Notary service. These two services are designed to improve application security on macOS. Recently Apple has stated:


“Beginning in macOS 10.14.5, all new or updated kernel extensions and all software from developers new to distributing with Developer ID must be notarized in order to run. In a future version of macOS, notarization will be required by default for all software.”



Today will help you to understand new rules from the Xamarin point of view.
This article in blog

Security on macOS


  • Code Signing – On macOS GateKeeper requires application bundles to be cryptographically signed with a key from an Apple developer account.

    • This has been a requirement since macOS Lion (10.7).
    • Obtaining the correct keys and certificates can be difficult to get right the first time. So see the Xamarin.Mac signing documentation.
  • Hardened Runtime – This is a second layer of security introduced in macOS Mojave (10.14). By code signing with an additional flag the Cocoa runtime will apply a number of restrictions upon the application running.

    • For example, some restrictions include denying execution of self-modifying code or loading unsigned dynamic libraries.
    • Each category of restriction can be opt’ed out via the use of special entitlements.
  • Notary Service – This is a third layer of security also introduced in macOS Mojave (10.14). It is a code scanning service, which will scan your software for malicious content. To pass notary scanning, your application must have already opted into the hardened runtime.

How to Get Started


To get started preparing your application for these new requirements, here are some steps to take:



Configure Your Entitlements


Until we implement IDE support for the new options, two manual steps are needed:



  1. Open your Xamarin.Mac application .csproj in a text editor and add

    <UseHardenedRuntime>true</UseHardenedRuntime>

    to the Release section
  2. Open your entitlements.plist file in a text editor and add

    <key>com.apple.security.cs.allow-jit</key>
    <true/>

Launch your application and test it out. If it crashes you may need additional entitlements from Apple.


Notarize Your App


To notarize you need to follow two steps:


  1. Uploading your build to the notary service
  2. Staple the Ticket to Your Application

You’re all set! If you have any feedback regarding this process, we’d love to hear from you. Email david.ortinau@microsoft.com or add a comment on GitHub.



David Ortinau
David Ortinau

Senior Program Manager, Mobile Developer Tools

+7
487 0
Leave a comment
Top of the day