feat(cli): add macos hardened runtime signing config option (#9318) (#10199)

* feat(cli): add macos signing config option

* rename option to hardened_runtime

* chore(cli): use default true in hardened runtime config

---------

Co-authored-by: Lucas Nogueira <lucas@tauri.app>

.changes/hardened-runtime-option.md

@@ -0,0 +1,8 @@
+---
+"tauri-bundler": patch:feat
+"@tauri-apps/cli": patch:feat
+"tauri-cli": patch:feat
+"tauri-utils": patch:feat
+---
+
+Added a configuration option to disable hardened runtime on macOS codesign.

core/tauri-config-schema/schema.json

@@ -156,6 +156,7 @@
           "icon": [],
           "identifier": "",
           "macOS": {
+            "hardenedRuntime": true,
             "minimumSystemVersion": "10.13"
           },
           "rpm": {
@@ -316,6 +317,7 @@
             "icon": [],
             "identifier": "",
             "macOS": {
+              "hardenedRuntime": true,
               "minimumSystemVersion": "10.13"
             },
             "rpm": {
@@ -1219,6 +1221,7 @@
         "macOS": {
           "description": "Configuration for the macOS bundles.",
           "default": {
+            "hardenedRuntime": true,
             "minimumSystemVersion": "10.13"
           },
           "allOf": [
@@ -1695,6 +1698,11 @@
             "null"
           ]
         },
+        "hardenedRuntime": {
+          "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: <https://developer.apple.com/documentation/security/hardened_runtime>",
+          "default": true,
+          "type": "boolean"
+        },
         "providerShortName": {
           "description": "Provider short name for notarization.",
           "type": [

core/tauri-utils/src/config.rs

@@ -467,6 +467,11 @@ pub struct MacConfig {
   /// Identity to use for code signing.
   #[serde(alias = "signing-identity")]
   pub signing_identity: Option<String>,
+  /// Whether the codesign should enable [hardened runtime] (for executables) or not.
+  ///
+  /// [hardened runtime]: <https://developer.apple.com/documentation/security/hardened_runtime>
+  #[serde(alias = "hardened-runtime", default = "default_true")]
+  pub hardened_runtime: bool,
   /// Provider short name for notarization.
   #[serde(alias = "provider-short-name")]
   pub provider_short_name: Option<String>,
@@ -482,6 +487,7 @@ impl Default for MacConfig {
       exception_domain: None,
       license: None,
       signing_identity: None,
+      hardened_runtime: true,
       provider_short_name: None,
       entitlements: None,
     }

tooling/bundler/src/bundle/macos/sign.rs

@@ -206,7 +206,9 @@ fn try_sign(
     args.push(entitlements_path);
   }
 
-  if is_an_executable {
+  // add runtime flag by default
+
+  if is_an_executable && settings.macos().hardened_runtime {
     args.push("--options");
     args.push("runtime");
   }

tooling/bundler/src/bundle/settings.rs

@@ -296,6 +296,10 @@ pub struct MacOsSettings {
   pub exception_domain: Option<String>,
   /// Code signing identity.
   pub signing_identity: Option<String>,
+  /// Preserve the hardened runtime version flag, see <https://developer.apple.com/documentation/security/hardened_runtime>
+  ///
+  /// Settings this to `false` is useful when using an ad-hoc signature, making it less strict.
+  pub hardened_runtime: bool,
   /// Provider short name for notarization.
   pub provider_short_name: Option<String>,
   /// Path to the entitlements.plist file.

tooling/cli/schema.json

@@ -156,6 +156,7 @@
           "icon": [],
           "identifier": "",
           "macOS": {
+            "hardenedRuntime": true,
             "minimumSystemVersion": "10.13"
           },
           "rpm": {
@@ -316,6 +317,7 @@
             "icon": [],
             "identifier": "",
             "macOS": {
+              "hardenedRuntime": true,
               "minimumSystemVersion": "10.13"
             },
             "rpm": {
@@ -1219,6 +1221,7 @@
         "macOS": {
           "description": "Configuration for the macOS bundles.",
           "default": {
+            "hardenedRuntime": true,
             "minimumSystemVersion": "10.13"
           },
           "allOf": [
@@ -1695,6 +1698,11 @@
             "null"
           ]
         },
+        "hardenedRuntime": {
+          "description": "Whether the codesign should enable [hardened runtime] (for executables) or not.\n\n[hardened runtime]: <https://developer.apple.com/documentation/security/hardened_runtime>",
+          "default": true,
+          "type": "boolean"
+        },
         "providerShortName": {
           "description": "Provider short name for notarization.",
           "type": [

tooling/cli/src/interface/rust.rs

@@ -1210,6 +1210,7 @@ fn tauri_config_to_bundle_settings(
       license: config.macos.license,
       exception_domain: config.macos.exception_domain,
       signing_identity,
+      hardened_runtime: config.macos.hardened_runtime,
       provider_short_name,
       entitlements: config.macos.entitlements,
       info_plist_path: {