Notarize Xamarin MAC application
USMember ✭✭
We have an existing MAC application developed using Xamarin.MAC and we are distributing the DMG file for the application to user. when we open the application in catalina OS, it is showing some securtiy exceptions. So we found that we need to notarize the application before distributing it to users.We are code signing the application using "application Developer ID". So before apply the application for notarization ,we tried to add true in the release section of the .cs project. Then application is not running in the Release mode when we make the UseHardenedRuntime key and EnableCodeSigning key to true.
Can any one know why the applicaiton is not running when we set true to both UseHardenedRuntime and EnableCodeSigning key?
Is there any other ways to set UseHardenedRuntime in Xamarin application?
Answers
I would look into the crash logs for your application for details on why it isn't working.
You can generally find those in the "Console" application in one of the Reports folders.
I too face the same issue I get the crash log like this
Process: Sample [6952]
Path: /Applications/WBidMax.app/Contents/MacOS/WBidMax
Identifier: com.xx.xxxx
Version: 6.49.2.0 (1)
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: XXXXX [6952]
User ID: 501
Date/Time: 2019-10-18 13:02:25.128 +0530
OS Version: Mac OS X 10.15 (19A602)
Report Version: 12
Bridge OS Version: 4.0 (17P572)
Anonymous UUID: 8F80B35C-7FCB-E1B1-1E8B-E514CDB240EF
Sleep/Wake UUID: 47F734ED-3E41-4E29-9A85-85CCF9DECB97
Time Awake Since Boot: 9500 seconds
Time Since Wake: 4100 seconds
System Integrity Protection: enabled
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Signal: Segmentation fault: 11
Termination Reason: Namespace SIGNAL, Code 0xb
Terminating Process: exc handler [6952]
What hardened runtime entitlements have you enabled as detailed here?
https://developer.apple.com/documentation/security/hardened_runtime_entitlements
You definitely need
com.apple.security.cs.allow-jitfor a Xamarin.Mac application. One thing I noticed is thatlibmono-native.dylib(included in MonoBundle) is signed by Xamarin. If you don't re-sign that with your own cert then you'll need to addcom.apple.security.cs.disable-library-validationtoo.In addition on my app I've added
com.apple.security.cs.allow-dyld-environment-variableswhich seems to be required when using SQLite. Simplest option is to add all of them to your entitlements and if that works, remove them one at a time to find out the ones you really need.Note that if you include third party frameworks like Sparkle, you'll need to re-sign them with
--options runtimeyourself, but when you submit it to Apple's notarization service you'll be told if you need to do that should it fail.My situation:
macOS: 10.15.5 (Catalina, latest updates)
XCode: 11.5 (latest)
Visual Studio for Mac: 8.6.2 (build 6) (latest)
Xamarin.Mac: 6.18.2.1 (Visual Studio Community) Branch d16-6 (latest)
... a macOS installed yesterday for test/ensure this issue.
A Xamarin.Mac (Cocoa) project, Release config of course
Project -> Options -> Mac Signing -> Sign the application bundle (checked), with right identity
Project -> Options -> Mac Signing -> Enable Hardened Runtime (checked)
Project -> Options -> Mac Signing -> Custom entitlements: Entitlements.plist
Entitlements.plist ->
1- If i click Build, every time throw "code object is not signed at all". Rebuild or Cleanup before works without error, every time.
2- If i do a Cleanup and directly a "Run without debugger", crash.
file
3- If i decheck "Sign the application", Cleanup and directly a "Run without debugger", works perfectly.
4- I honestly never used the built-in Xamarin/VS sign options,
i have an automated .sh build script that perform the compilation (msbuild) and invoke "codesign":
4.1- "codesign -d --deep -v --force --sign "" Eddie.app/Contents/MacOS/Eddie
works perfectly, signed, but notarization say it's not hardened.
4.2- The same command above with an added "--options=runtime", result signed, notarization return "Accepted", but when i run the application throw a Segmentation fault.
Any suggestion?
I'm groping in the dark... eventually, there is any paid support (i can give a TeamViewer access) to direct help?
EDIT:
it seem don't exists this issues if i create a new Cocoa app.
My app was builded many years ago (still with Xamarin Studio), and upgraded with years of Xamarin.
I will try to migrate any sources to a clean project, and compare any option to identify better what cause the issue.
I resolved my issue. If help someone, codesign (that i call manually in post-build action, because i need to alter the bundle after) must be called with "--options=runtime" but also with "--entitlements= (that must contain the com.apple.security.cs.allow-jit entry = true>.
I'm trying to build a release build of my App which uses a SQLite DB within latest Xamarin.Forms 4.8.*. I have the entitles you mention and everything builds find, but at runtime there's a DLL not found exception when the SQLConnection is created. Other than the entitlements above, are any other incantations required for this work?? Could you possibly post your entitles or the relevant bits perhaps?
@CartBlanche I don't use Xamarin.Forms in my app but looking at my project I can't see anything interesting other than what I've mentioned before. I'm referencing the 2.0.5 version of Mono.Data.Sqlite if that's any help. Are you getting the DLL not found exception before or after notarising the app? Also have you figured out what DLL it can't find?