Hardened runtime and disabled code signing when in Debug

Hello there :)

We have a macOS app that has hardened runtime enabled. Furthermore, we have code signing enabled for Debug builds.

We were discussing if we disable code signing for our Debug builds (to speed up local building) will this then disable hardened runtime too?

Our concern is of course that if our local testing works fine and then in Release builds - if hardened runtime only kicks in here - the app would get into trouble in production...

Best regards,

Jens Schwarzer
Up vote post of bims Down vote post of bims
536 views
Posted by
bims
Reply
Add a Comment

Accepted Reply

We were discussing if we disable code signing for our Debug builds
(to speed up local building) will this then disable hardened runtime
too?

Yes. The hardened runtime flag is stored in the code signature. You can’t have one without the other.

If code signing performance is an issue, one option is to break your app up into frameworks. Each of these is signed independently, and thus you won’t need to re-sign the entire app for each build.

Don’t go overboard with this. A few frameworks is good, a few hundred frameworks would be catastrophic.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

We were discussing if we disable code signing for our Debug builds
(to speed up local building) will this then disable hardened runtime
too?

Yes. The hardened runtime flag is stored in the code signature. You can’t have one without the other.

If code signing performance is an issue, one option is to break your app up into frameworks. Each of these is signed independently, and thus you won’t need to re-sign the entire app for each build.

Don’t go overboard with this. A few frameworks is good, a few hundred frameworks would be catastrophic.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment
Thanks a lot for the swift reply Quinn! Great service! :D
Posted by
bims
Up vote reply of bims Down vote reply of bims
Add a Comment