diff options
| author | Mark Friedenbach <mark@friedenbach.org> | 2023-12-20 16:24:37 -0800 |
|---|---|---|
| committer | Mark Friedenbach <mark@friedenbach.org> | 2023-12-20 16:24:37 -0800 |
| commit | 4fdd836db92e789c98b9e68398ca931a968cc9c3 (patch) | |
| tree | 6e56bcc83ff9f41ecc618764c82ba7772b45a966 | |
| parent | 3a0f54dd2402d74a5ac4304b3ad09014cfb25edf (diff) | |
Use hardened runtime on macOS release builds.
The Apple notary service requires submitted app bundles to be configured to use the hardened runtime libraries. This is configured at signing time, and supported by the signapple tool Bitcoin Core uses for reproduceable signed binaries. We simply need to pass "--hardened-runtime" when the signature is created. Once attached to the bundle, the resulting codesigned binary can be successfully submitted to the Apple binary notarization service by any Apple Developer.
| -rwxr-xr-x | contrib/macdeploy/detached-sig-create.sh | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/contrib/macdeploy/detached-sig-create.sh b/contrib/macdeploy/detached-sig-create.sh index 626381cf43..097a7c35ee 100755 --- a/contrib/macdeploy/detached-sig-create.sh +++ b/contrib/macdeploy/detached-sig-create.sh @@ -24,7 +24,7 @@ fi rm -rf ${TEMPDIR} mkdir -p ${TEMPDIR} -${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}" "$@" "${BUNDLE}" +${SIGNAPPLE} sign -f --detach "${TEMPDIR}/${OUTROOT}" "$@" "${BUNDLE}" --hardened-runtime tar -C "${TEMPDIR}" -czf "${OUT}" . rm -rf "${TEMPDIR}" |