Issue with code signing Mac standalones with hardened runtime


    May 20 2020 | 5:14 pm
    I am having an issue code signing Mac standalones created in Max 8 on Catalina using the hardened runtime option (which is required for notarizing the resulting application).
    Even the simplest standalone (made from the attached maxpatch) results in an application that cannot load externals (see attached screenshots before and after code signing).
    I am code signing from Terminal using the following command (as recommended at https://cycling74.com/articles/max-8-1-mac-os-10-15-catalina-support-and-notarization):
    codesign -s [my developer ID] --options runtime --timestamp --force --deep -f [path/to/SimpleStanalone.app]
    If I remove "--options runtime" the code-signed standalone opens fine but the signed application cannot be notarized by Apple which requires the application to be "runtime hardened". If I leave "--options runtime" the application does not load needed externals as shown in the attached screenshot.
    xattr -d -r com.apple.quarantine [path/to/SimpleStanalone.app]
    to remove the quarantine attribute from the app bundle components but that did not fix the problem.
    Any insight or recommendations will be greatly appreciated.
    Adam

    • May 20 2020 | 7:52 pm
      Hi Adam,
      Can you post all of your entitlements? Are you trying to get it accepted on the App Store by using com.apple.security.app-sandbox ?
      What version of Max are you using?
    • May 20 2020 | 8:31 pm
      Thank you Ben for replying. As I stated above I am using Max 8. I did not use the entitlements as I thought that is optional and did not think is necessary for the app to work. As I stated the app works without it as long as I do not add the runtime option.
      By the way, adding the runtime option leads to successful notarization without adding entitlements but the standalone does not work. Regards, Adam
    • May 20 2020 | 9:27 pm
      Hi Adam,
      Can you send along the exact version of Max 8 you are using?
      Regardless, you will have to specify entitlements if you want to notarize, as per the article you posted. Also, it is not clear from your note whether or not you are trying to get it on the Apple App store. If so, you will have to use the com.apple.security.app-sandbox entitlement.
    • May 20 2020 | 10:56 pm
      Thank you Ben. Apologies for not being specific enough. I am using Max 8.1.3 (da28f19)(64-bit mac). I do understand now that I would need entitlements to notarize. Thank you for clarifying. However, the problem (app not loading externals) occurs when I code sign the application (i.e. before notarization) with the runtime option. I expect that a code-signed application should work irrespective of whether I wish to notarize it or not.
      Still, as a separate matter, I wish to add an entitlements file to the app version I wish to notarize but after reading the cheat sheet on setting entitlements it is not clear to me (having not done it before) what kind of file it should be. I presume a text file containing text commands like those shown in the cheat sheet saved as. "app.entitlements" where "app" should be the application name and "entitlements" the extension? Any other requirements?
      Perhaps you could share an actual entitlements file? I would be very appreciative.
      I forgot to mention that I am not planning to distribute the app through the Apple App Store. It is distributed through an installer downloaded directly from a website.
      Regards, Adam
    • May 20 2020 | 11:37 pm
      Hi Adam,
      Yes, *.entitlements should be fine. The format is something like this:
      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
      	<key>com.apple.security.automation.apple-events</key>
      	<true/>
      	<key>com.apple.security.cs.allow-jit</key>
      	<true/>
      	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
      	<true/>
      	<key>com.apple.security.cs.disable-library-validation</key>
      	<true/>
      	<key>com.apple.security.device.audio-input</key>
      	<true/>
      	<key>com.apple.security.device.camera</key>
      	<true/>
      	<key>com.apple.security.get-task-allow</key>
      	<true/>
      </dict>
      </plist>
    • May 21 2020 | 5:39 am
      Hi Ben, I can't thank you enough. Adding the entitlements file you posted solved the problem completely! Not only for the SimpleStandalone mock application but for my full (and very complex) application. It is all working like a charm. Regards, Adam
    • Jun 04 2020 | 6:26 am
      Hi everybody,
      it worked same for me, but i would like to add that i also had to code sign all the hundreds of externals inside the standalone before the standalone started without error. The "deep" parameter apparently doesn't. It seems that every executable code within the standalone should be signed with the same identity.
      Best regards Thomas