> On Oct 8, 2019, at 8:56 AM, Gabriele Greco via gtk-osx-users-list > <gtk-osx-users-list@gnome.org> wrote: > > Hi guys, > > yesterday apple released macOS 10.15 and one of the new "features" is that > all the developer signed apps should be notarized (sent to apple for an > automatic review), I found and used the instructions in this page: > > https://wiki.gnome.org/Projects/GTK/OSX/Bundling#Notarizing > > ... and I've been able to create an application that passes the apple > process, what I'm not sure of is if a C/C++ GTK app requires one or more of > the entitlements defined by Apple to run: > > https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_automation_apple-events?language=objc > > ... my tests show me that should be not the case, the app seems to work ok, > but I'm still on Mojave and I've not tried it in Catalina yet. > > What I fear, and maybe some GTK developer may answer is that a GTK app may > "break" this: > > Allow DYLD Environment Variables Entitlement > A Boolean value that indicates whether the app may be affected by dynamic > linker environment variables, which you can use to inject code into your > app’s process. > Key: com.apple.security.cs.allow-dyld-environment-variables > > or this > > Disable Library Validation Entitlement > A Boolean value that indicates whether the app may load arbitrary plug-ins or > frameworks, without requiring code signing. > Key: com.apple.security.cs.disable-library-validation > > ... I've signed every .dylib and .so, and engine/pixbuf loading seems to > work... but again I'm still on Mojave...
You only need the DYLD environment variables entitlement if there's some reason that @executable_path/../Resources/lib/libfoo.dylib won't work, and even then there's probably a better way to do it. The library validation entitlement would be needed if you have a third-party plugin facility and it's possible to have non-signed plugins. I don't have any experience with that so you'd have to experiment. The notarization process is supposed to mean that if it notarizes then Catalina's gatekeeper will happily allow it. There's no guarantee that you don't have a crasher bug, of course, but if it runs on Mojave it will probably be OK on Catalina. Regards, John Ralls _______________________________________________ gtk-osx-users-list mailing list gtk-osx-users-list@gnome.org https://mail.gnome.org/mailman/listinfo/gtk-osx-users-list
