OSX hardened runtime and notorization

[Russell Valentine]

In the next version of OSX, it looks like notorization will be pretty much required :(

https://developer.apple.com/news/?id=06032019i

hardened runtime is required for notorization also:

https://developer.apple.com/documentation/security/hardened_runtime_entitlements?language=objc

In the current version of OSX it is required for new Developer IDs, next it sounds like current and new. I'm not talking about the Mac App Store, just own distribution.

Has anyone had any luck notorizing nwjs in OSX? We've been having trouble getting nwjshelper to run when it is signed with the hardened runtime.

We get these messages when using hardened runtime:

[0605/103103.442530:WARNING:process_reader.cc(425)] all_image_infos.infoArrayCount is zero

[0605/103103.442767:WARNING:process_reader.cc(507)] no MH_EXECUTE modules

[0605/103103.443040:WARNING:system_snapshot_mac.cc(42)] sysctlbyname kern.nx: No such file or directory (2)

[0605/103103.458568:WARNING:process_reader.cc(425)] all_image_infos.infoArrayCount is zero

[0605/103103.458602:WARNING:process_reader.cc(507)] no MH_EXECUTE modules

[0605/103103.458839:WARNING:system_snapshot_mac.cc(42)] sysctlbyname kern.nx: No such file or directory (2)

[0605/103103.467464:WARNING:process_reader.cc(425)] all_image_infos.infoArrayCount is zero

[0605/103103.467495:WARNING:process_reader.cc(507)] no MH_EXECUTE modules

[33452:26371:0605/103103.467527:ERROR:service_manager_context.cc(258)] Attempting to run unsupported native service: ourapp/Contents/MacOS/nwjs.app/Contents/Versions/66.0.3359.139/nwjs Framework.framework/Versions/A/content_renderer.service

[0605/103103.467753:WARNING:system_snapshot_mac.cc(42)] sysctlbyname kern.nx: No such file or directory (2)

[33452:26371:0605/103103.468047:ERROR:service_manager_context.cc(258)] Attempting to run unsupported native service: ourapp/Contents/Versions/66.0.3359.139/nwjs Framework.framework/Versions/A/content_renderer.service

[0605/103103.489163:WARNING:process_reader.cc(425)] all_image_infos.infoArrayCount is zero

[0605/103103.489194:WARNING:process_reader.cc(507)] no MH_EXECUTE modules

[0605/103103.489466:WARNING:system_snapshot_mac.cc(42)] sysctlbyname kern.nx: No such file or directory (2)

[33452:26371:0605/103103.498460:ERROR:browser_gpu_channel_host_factory.cc(119)] Failed to launch GPU process.

[0605/103203.877205:WARNING:process_reader.cc(425)] all_image_infos.infoArrayCount is zero

[0605/103203.877236:WARNING:process_reader.cc(507)] no MH_EXECUTE modules

[0605/103203.877471:WARNING:system_snapshot_mac.cc(42)] sysctlbyname kern.nx: No such file or directory (2)

[33452:775:0605/103203.888536:ERROR:web_resource_service.cc(192)] Connection error with the json parser process.

We've tried all different combinations of these entitlements:

    <key>com.apple.security.get-task-allow</key>

    <true/>

    <key>com.apple.security.cs.disable-library-validation</key>

    <true/>

    <key>com.apple.security.automation.apple-events</key>

    <true/>

    <key>com.apple.security.cs.allow-dyld-environment-variables</key>

    <true/>

    <key>com.apple.security.cs.allow-jit</key>

    <true/>

    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>

    <true/>

    <key>com.apple.security.cs.debugger</key>

    <true/>

    <key>com.apple.security.cs.disable-executable-page-protection</key>

    <true/>

    <key>com.apple.security.device.audio-input</key>

    <true/>

    <key>com.apple.security.device.camera</key>

    <true/>

    <key>com.apple.security.personal-information.location</key>

    <true/>

    <key>com.apple.security.personal-information.addressbook</key>

    <true/>

    <key>com.apple.security.personal-information.calendars</key>

    <true/>

    <key>com.apple.security.personal-information.photos-library</key>

    <true/>

[bastian...@googlemail.com]

I will soon have to add this myself. But I have no experience in doing so yet.
I see you have the Get-Task-Allow Entitlement set to true. According to Apple you should avoid that entitlement.

See here:
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution

And here:
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc#3087731

[Mislav Boras]

Hi Roger, 

I think this is one of the most important features necessary for Catalina. 

If we don’t add this all of our apps with nw.js cannot be used on mac anymore. 

How can we help you solve this? 

Best, 

Mislav

Anfang der weitergeleiteten Nachricht:

--
You received this message because you are subscribed to the Google Groups "nw.js" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nwjs-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nwjs-general/d2254c7e-03fb-450e-866a-53f1d1feb6d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Roger]

You can star and watch this issue:

https://bugs.chromium.org/p/chromium/issues/detail?id=850193

Thanks,

Roger

To view this discussion on the web visit https://groups.google.com/d/msgid/nwjs-general/BCF96989-EBF8-4C7C-B998-8C88A9593540%40timebro.de.

[Арсен Боровинский]

I am success notarized app http://koo.elibsystem.ru/files/dist/koo-browser-1.0.5-mac-x64.dmg , App success installed, but crashed on startup under 10.14 (work success on developer macOS 10.13.6).

Now app for macOS 10.14 also need notarized, not only for Catalina. Without notarization user must be disable Gatekeeper for run app on 10.14.

For notarization i am manual sign files inside app.
 

среда, 5 июня 2019 г., 21:30:46 UTC+5 пользователь Russell Valentine написал:

[bastian....@timebro.de]

@Арсен:

the latest nwjs crashed on macOS for me as well. there is a bug ticket on github for it. Try using an older one. For me 0.37.4 is the last that won't crash. 

@Russel:

can you tell me how you enabled "hardened runtime" for nwjs exactly? All I find is XCode settings.

[Russell Valentine]

Enabled hardneed runtime with codesign -o runtime:

/usr/bin/codesign --deep --force -o runtime -s "$SIGNING_IDENTITY" "$file"

Where $file can be nwjs app or binary.

[Russell Valentine]

Thanks Bastian. Tried all different combinations, just in case. I'll make sure I don't include Get-Task-Allow for production.

[Russell Valentine]

>> Now app for macOS 10.14 also need notarized, not only for Catalina. Without notarization user must be disable Gatekeeper for run app on 10.14.

I am pretty sure that currently it is only required for new developer ids, but yeah you are right. If you got your developer id after 10.14 release it is required also.

I think before 10.14 you would notarize without hardened runtime, but now I believe it is required when notarizing. And 10.15 notarizing will be required for those that had older developer Ids also. At some point I imagine sandbox will be required, and then eventually you have to use mac app store :(

[bastian....@timebro.de]

It is correct that right now it is only required for new developers. But Catalina is looming, the first Betas are out so we need to get it sorted right now.

Also be aware that this will affect already released software once Catalina is out:

Notarize Your Preexisting Software

Notarizing your preexisting software lets Gatekeeper warn users when they try to run it. It also helps the notary service distinguish your legitimate software from variants that have been tampered with. You can notarize an existing disk image, installer package, or ZIP archive containing your app.

See here: 

https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution

So it will hit everyone.

@Russel

I btw was able to enable hardened runtime and I have no issues with the Helper. I am running 0.37.4 which for me is the last version that works (even without hardened runtime) 

I not only added the --option runtime flag to codesign but also these entitlements

• com.apple.security.automation.apple-events
• com.apple.security.cs.allow-dyld-environment-variables
• com.apple.security.cs.allow-jit
• com.apple.security.cs.allow-unsigned-executable-memory
• com.apple.security.cs.disable-executable-page-protection
• com.apple.security.cs.disable-library-validation

I added the entitlements via codesign flag --entitlements

So far I have not yet tried to notarize.

[bastian....@timebro.de]

I was now able to successfully notarize our app and it still runs just fine. 

Here is what I am doing:

Our App:

 - we do not care for app store, so we do not use sandbox

 - of course our nwjs Helper is renamed

 - we do not use any ready-made node packages for building, bundling or other stuff. we have our own sets of bash and node scripts to fit our needs

 - we distribute via pkg not dmg

Steps to successfully notarize our app:

 1. build and bundle the nwjs app to an executable .app "file"

 2. codesign:

  a) adding flag for hardened runtime

  b) adding entitlements needed by nwjs/chromium/node

  c) apply to ALL binary files

  basic codesign command we use for all files:

  codesign --verbose --force --deep --strict --options runtime --timestamp --sign [IDENTITY] --entitlements neededToRun.entitlements [FILE]

  our entiltements file contains the following entitlements:

  - com.apple.security.automation.apple-events

- com.apple.security.cs.allow-dyld-environment-variables

- com.apple.security.cs.allow-jit

- com.apple.security.cs.allow-unsigned-executable-memory

- com.apple.security.cs.disable-executable-page-protection

- com.apple.security.cs.disable-library-validation

note: an .entitlement file ist just a plist, see:

https://developer.apple.com/documentation/bundleresources/entitlements

we give all binaries the same .entitlements file, we do not use com.apple.security.inherit as it dir not work for us.

VERSION_DIR: e.g. /Contents/Version/73.0.3683.103/ or what ever the number is

These are the binary files we sign (in order of signing):

- VERSION_DIR/nwjs Framework.framework/Helpers/crashpad_handler

- VERSION_DIR/nwjs Framework.framework/libnode.dylib

- VERSION_DIR/nwjs Framework.framework/libffmpeg.dylib

- VERSION_DIR/nwjs Framework.framework/Versions/A/Resources/app_mode_loader.app/Contents/MacOS/app_mode_loader

- VERSION_DIR/nwjs Framework.framework/Versions/A/Libraries/libEGL.dylib

- VERSION_DIR/nwjs Framework.framework/Versions/A/Libraries/libswiftshader_libEGL.dylib

- VERSION_DIR/nwjs Framework.framework/Versions/A/Libraries/libGLESv2.dylib

- VERSION_DIR/nwjs Framework.framework/Versions/A/Libraries/libswiftshader_libGLESv2.dylib

- VERSION_DIR/nwjs Framework.framework/Versions/A/XPCServices/AlertNotificationService.xpc/Contents/MacOS/AlertNotificationService

- VERSION_DIR/nwjs Framework.framework/Versions/A/Helpers/crashpad_handler

- VERSION_DIR/nwjs Framework.framework/Versions/A/nwjs Framework

- VERSION_DIR/nwjs Helper.app    (this is the renmaed helper however it is called)

- nwjs.app    (this is you app, however it is called)

Note that you also might need to do this for all binary node modules!

3. use pkgbuild and productbuild to create a macOS installer. This needs also to be signed with an Installer Certificate!

4. notarize:

a) zip the installer

b) send it to apples notarization service

c) poll every minuted for the status of notarization

- on reject we check the logs apple sends us

- on success we staple the installer

step 3 and 4 are pretty straight forward and apple

as for step 4:

according to apple you only need to notarize the most outer container. In our case the pkg -- but a dmg would also be possible. They scan the whole container for all its elements!

as for step 2:

do not think that --deep does a nested signing! it does not, or at least not for all subdirectories. You have to individually sign all the binaries, otherwise apple will reject your app!

Read these before you start implementing notarization:

- https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow

- https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/resolving_common_notarization_issues?language=objc#3087731

- https://forums.developer.apple.com/thread/118390

- https://forums.developer.apple.com/thread/118333

[Dave Page]

For the sake of the archives, when working on this problem with my own application (which is being converted from a custom runtime to nw.js), I ran into exactly this issue, and with the help of the previous post (thanks Bastian) narrowed the requirements down to the com.apple.security.cs.disable-executable-page-protection entitlement. Of course, others may be required as well for other apps.

I also had to turn off sandboxing, but that's due to the way my application works and what it does (amongst other things, read/write to unix domain sockets in arbitrary locations).