MacOS codesigning does not enable hardened runtime options

[jamesmunns]

Hey there, I'm working my way through figuring out how to get a signed + notarized app built by cargo-dist. I've followed the instructions in #1372, which do produced a signed application, however when I attempted to notarize my executable, I get the following error:

  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "poststation-v0_0_11.zip/poststation",
      "message": "The executable does not have the hardened runtime enabled.",
      "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087724",
      "architecture": "arm64"
    }
  ]

The signing step for macos:

cargo-dist/cargo-dist/src/sign/macos.rs

Lines 186 to 199 in f53dd6d

	pub fn sign(&self, file: &Utf8Path) -> DistResult<()> {
	let password = uuid::Uuid::new_v4().as_hyphenated().to_string();
	let keychain = Keychain::create(password)?;
	keychain.import_certificate(&self.env.certificate, &self.env.password)?;
	let mut cmd = Cmd::new("/usr/bin/codesign", "sign macOS artifacts");
	cmd.arg("--sign").arg(&self.env.identity);
	cmd.arg("--keychain").arg(&keychain.path);
	cmd.arg(file);
	cmd.stdout_to_stderr();
	cmd.output()?;
	Ok(())
	}

Doesn't set the following flags: [--force] --options runtime.

The apple docs mention the --options runtime argument:

• https://developer.apple.com/documentation/security/resolving-common-notarization-issues#Enable-the-hardened-runtime

I'm unsure if --force is required here, but I've seen it mentioned in a couple places:

• https://github.com/rustdesk/rustdesk/blob/663c5bc3558a4d906d9d43ecf6c93104f02d266d/build.py#L69-L70
• https://wiki.freepascal.org/Hardened_runtime_for_macOS

At the moment, I haven't enabled the creation of a pkg or dmg, so i'm just building a bare application that I put in a zip for notarization.

I'll keep trying to do this locally, and see if I can find the right combination required to get signing and notarized. Happy to test out anything here re: macos signing!

[jamesmunns]

Additionally, to get things to work, I seem to have also needed to add:

--timestamp --entitlements ./entitlements.plist. Right now I don't need any entitlements, so my contents are:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
</dict>
</plist>

[mistydemeo]

I'll take a look into it thank you!