Re: [gtk-osx-users] macOS 10.15.x and notarizing

From: John Ralls <jralls ceridwen us>
To: Gabriele Greco <gabrielegreco gmail com>
Cc: gtk-osx-users-list gnome org
Subject: Re: [gtk-osx-users] macOS 10.15.x and notarizing
Date: Tue, 8 Oct 2019 14:08:19 -0700

On Oct 8, 2019, at 8:56 AM, Gabriele Greco via gtk-osx-users-list <gtk-osx-users-list gnome org> wrote:

Hi guys,

yesterday apple released macOS 10.15 and one of the new "features" is that all the developer signed apps
should be notarized (sent to apple for an automatic review), I found and used the instructions in this page:

https://wiki.gnome.org/Projects/GTK/OSX/Bundling#Notarizing

... and I've been able to create an application that passes the apple process, what I'm not sure of is if a
C/C++ GTK app requires one or more of the entitlements defined by Apple to run:

https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_automation_apple-events?language=objc

... my tests show me that should be not the case, the app seems to work ok, but I'm still on Mojave and
I've not tried it in Catalina yet.

What I fear, and maybe some GTK developer may answer is that a GTK app may "break" this:

Allow DYLD Environment Variables Entitlement
A Boolean value that indicates whether the app may be affected by dynamic linker environment variables,
which you can use to inject code into your app’s process.
Key: com.apple.security.cs.allow-dyld-environment-variables

or this

Disable Library Validation Entitlement
A Boolean value that indicates whether the app may load arbitrary plug-ins or frameworks, without requiring
code signing.
Key: com.apple.security.cs.disable-library-validation

... I've signed every .dylib and .so, and engine/pixbuf loading seems to work... but again I'm still on
Mojave...



You only need the DYLD environment variables entitlement if there's some reason that 
@executable_path/../Resources/lib/libfoo.dylib won't work, and even then there's probably a better way to do 
it.

The library validation entitlement would be needed if you have a third-party plugin facility and it's 
possible to have non-signed plugins. I don't have any experience with that so you'd have to experiment.

The notarization process is supposed to mean that if it notarizes then Catalina's gatekeeper will happily 
allow it. There's no guarantee that you don't have a crasher bug, of course, but if it runs on Mojave it will 
probably be OK on Catalina.

Regards,
John Ralls

Follow-Ups:
- Re: [gtk-osx-users] macOS 10.15.x and notarizing
  - From: Gabriele Greco

References:
- [gtk-osx-users] macOS 10.15.x and notarizing
  - From: Gabriele Greco

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]