Skip to content

Commit

Permalink
Use hardened runtime on macOS release builds.
Browse files Browse the repository at this point in the history 
The Apple notary service requires submitted app bundles to be configured to use the hardened runtime libraries.  This is configured at signing time, and supported by the signapple tool Bitcoin Core uses for reproduceable signed binaries.  We simply need to pass "--hardened-runtime" when the signature is created.  Once attached to the bundle, the resulting codesigned binary can be successfully submitted to the Apple binary notarization service by any Apple Developer.

Github-Pull: #29127
Rebased-From: 4fdd836
  • Loading branch information
@maaku @glozow
maaku authored and glozow committed Jan 19, 2024
1 parent ac1b9a5 commit 11f3a7e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion contrib/macdeploy/detached-sig-create.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ fi
rm -rf ${TEMPDIR}
mkdir -p ${TEMPDIR}

${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}" "$@" "${BUNDLE}"
${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}" "$@" "${BUNDLE}" --hardened-runtime

tar -C "${TEMPDIR}" -czf "${OUT}" .
rm -rf "${TEMPDIR}"
Expand Down

0 comments on commit 11f3a7e

Please sign in to comment.