Skip to content

Fix hardened runtime entitlement for scripting languages and add app signing scripts #980

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Conversation

ychin
Copy link
Member

@ychin ychin commented Oct 30, 2019

Hardened runtime entitlements

Add hardened runtime entitlements to allow AppleScript + scripting languages to work.

Add get-task-allow entitlement which seems to be necessary to get scripting languages like Python to work. It's discouraged in docs, and Apple may not allow it from January 2020 onwards so this is not a safe long term solution and we need to find out how to get Python and other scripting languages to work without setting get-task-allow.

Fix #978
Also see #979

App signing / notarization scripts

Add scripts to sign and notarize MacVim

Add two scripts. First one signs the MacVim app bundle and dmg files with developer certificate. Second one submits the dmg file to Apple for app notarization, and waits for the results to come back.

Also added Makefile target macvim-dmg-release that will use these scripts to create a signed and notarized dmg file that can be distributed and will be play nice with macOS Gatekeeper.

ychin added 2 commits October 30, 2019 04:10
Use get-task-allow which seems to be necessary to get scripting
languages like Python to work. It's discouraged in docs, but from trials
seems like App Notarization will give a warning but still approve the
app.
Add two scripts. First one signs the MacVim app bundle and dmg files
with developer certificate. Second one submits the dmg file to Apple for
app notarization, and waits for the results to come back.

Also added Makefile target `macvim-dmg-release` that will use these
scripts to create a signed and notarized dmg file that can be
distributed and will be play nice with macOS Gatekeeper.
@ychin ychin merged commit 919fd33 into macvim-dev:master Oct 30, 2019
@ychin ychin deleted the hardened-runtime-entitlement-scripting-language branch October 30, 2019 11:30
ychin added a commit to ychin/macvim that referenced this pull request Jul 23, 2025
This entitlement allows debugger to hook in to the app and allow other
apps to call `task_for_pid()` on MacVim, and Apple has discouraged its
use. In fact, the only reason why MacVim passes app notarization is
because it has also set the disable-library-validation entitlement
which allows get-task-allow to be set. We don't actually need
get-task-allow in release binary builds as we don't intentionally want
to allow external debuggers and code injection, so we should just remove
it.

This was previously added in macvim-dev#980 where we made a mistake in assuming
that get-task-allow was what was needed to sign the app with hardened
runtime while allowing scripting interface (e.g. Python) to work, but
that was wrong. It was the disable-library-validation entitlment
instead, as we need the ability to load in unsigned libraries as
Python distributions from say Homebrew are not signed.

Credit: This was pointed out by Karol Mazurek
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fix hardened runtime / app notarization issues with scripting languages
1 participant