Codesign and enable Hardened Runtime on local builds
Categories
(Release Engineering :: Release Automation, enhancement)
Tracking
(Not tracked)
People
(Reporter: haik, Unassigned)
References
Details
(Keywords: in-triage)
We plan to enable Hardened Runtime on official Mac builds (bug 1470597) which will turn on some new runtime security protections. Enabling Hardened Runtime requires signing the build with new options and entitlements. In order to make try builds and local developer builds have the same security protections as our official builds, we need to run codesign on those builds and enable Hardened Runtime. Running codesign requires a signing identity and we may be able to create a self-signed cert for this purpose automatically during the build. This bug is filed to cover the work needed to determine how to automate signing builds during local and try builds.
|
||
Updated•6 years ago
|
|
Reporter | |
Comment 1•6 years ago
|
||
Hardened Runtime is a 10.14 feature (as in the security protections only work on 10.14+) so until we have 10.14+ running on our try hardware, there isn't much motivation to support this on our Linux build machines. It would be beneficial for developers working on 10.14+ machines though. Perhaps the two should be split into different bugs.
|
||
Comment 2•6 years ago
|
||
Try should be covered by the work in bug 1471004, but not local builds.
|
|
Reporter | |
Updated•6 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Reporter | |
Comment 3•11 months ago
|
||
(In reply to Haik Aftandilian [:haik] from comment #0)
... This bug is filed to cover the work needed to determine how to automate signing builds during local and try builds.
The work to sign try builds and production builds has long been completed and with bug 1876902, developers can sign local packaged builds using ./mach macos-sign -a </path/to/Nightly.app> as documented here. Closing as a dupe of 1876902.
|
|
||
Updated•2 months ago
|
Description
•