Issue with code signing Mac standalones with hardened runtime
I am having an issue code signing Mac standalones created in Max 8 on Catalina using the hardened runtime option (which is required for notarizing the resulting application).
Even the simplest standalone (made from the attached maxpatch) results in an application that cannot load externals (see attached screenshots before and after code signing).
I am code signing from Terminal using the following command (as recommended at https://cycling74.com/articles/max-8-1-mac-os-10-15-catalina-support-and-notarization):
codesign -s [my developer ID] --options runtime --timestamp --force --deep -f [path/to/SimpleStanalone.app]
If I remove "--options runtime" the code-signed standalone opens fine but the signed application cannot be notarized by Apple which requires the application to be "runtime hardened". If I leave "--options runtime" the application does not load needed externals as shown in the attached screenshot.
I also ran the following command (as recommended on https://cycling74.com/articles/using-unsigned-max-externals-on-mac-os-10-15-catalina):
xattr -d -r com.apple.quarantine [path/to/SimpleStanalone.app]
to remove the quarantine attribute from the app bundle components but that did not fix the problem.
Any insight or recommendations will be greatly appreciated.
Adam
Hi Adam,
Can you post all of your entitlements? Are you trying to get it accepted on the App Store by using com.apple.security.app-sandbox ?
What version of Max are you using?
Thank you Ben for replying. As I stated above I am using Max 8. I did not use the entitlements as I thought that is optional and did not think is necessary for the app to work. As I stated the app works without it as long as I do not add the runtime option.
By the way, adding the runtime option leads to successful notarization without adding entitlements but the standalone does not work.
Regards,
Adam
Hi Adam,
Can you send along the exact version of Max 8 you are using?
Regardless, you will have to specify entitlements if you want to notarize, as per the article you posted. Also, it is not clear from your note whether or not you are trying to get it on the Apple App store. If so, you will have to use the com.apple.security.app-sandbox entitlement.
Thank you Ben. Apologies for not being specific enough. I am using Max 8.1.3 (da28f19)(64-bit mac).
I do understand now that I would need entitlements to notarize. Thank you for clarifying. However, the problem (app not loading externals) occurs when I code sign the application (i.e. before notarization) with the runtime option. I expect that a code-signed application should work irrespective of whether I wish to notarize it or not.
Still, as a separate matter, I wish to add an entitlements file to the app version I wish to notarize but after reading the cheat sheet on setting entitlements it is not clear to me (having not done it before) what kind of file it should be. I presume a text file containing text commands like those shown in the cheat sheet saved as. "app.entitlements" where "app" should be the application name and "entitlements" the extension? Any other requirements?
Perhaps you could share an actual entitlements file? I would be very appreciative.
I forgot to mention that I am not planning to distribute the app through the Apple App Store. It is distributed through an installer downloaded directly from a website.
Regards,
Adam
Hi Adam,
Yes, *.entitlements should be fine. The format is something like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
</dict>
</plist>Hi Ben,
I can't thank you enough. Adding the entitlements file you posted solved the problem completely! Not only for the SimpleStandalone mock application but for my full (and very complex) application.
It is all working like a charm.
Regards,
Adam
Hi everybody,
it worked same for me, but i would like to add that i also had to code sign all the hundreds of externals inside the standalone before the standalone started without error. The "deep" parameter apparently doesn't. It seems that every executable code within the standalone should be signed with the same identity.
Best regards
Thomas
Hey all, I'm running up against this issue trying to codesign and notarize, worried I might be missing something--
I have all my externals and frameworks individually codesigned like
codesign -s **developerID** --options runtime --force -f **pathToExternal**
and I go to codesign the whole app package with
codesign -s **developerID** --options runtime --force --entitlements **path to entitlements** -f **path to app**
But this seems to break my app. It just goes unresponsive when I try to open it-- I never see the UI. Anything jump out as incorrect or missing?
I'd overlooked that I needed to include excludeexternals true in my installer script. That fixed it. I manually populate the app's externals folder with the mxos I needed.