Explanation VI – Hardened Runtime

Apple’s Explanation VI
On January 28, 2020, Apple wrote to us:

However, unsigned executables are not permitted to launch under a hardened runtime environment and, therefore, the App Review team provided guidance that the packaging of the BlueMail app may need to be changed in order for it to become compatible with Catalina.

Response VI

Apple now claims that “unsigned executables are not permitted to launch under a hardened runtime environment,” and that BlueMail needs “to become compatible with Catalina.” Again, Apple’s rejection of BlueMail pre-dates Catalina and was not tied to Catalina.  This is another shifting explanation.  And again, it is not true.  Apps distributed through the App Store are not required to have “Hardened Runtime capability” enabled.

More details:
There are two ways to distribute macOS apps: 

Distribution through the App Store: 
BlueMail for Mac was on the App Store until June 7, 2019. Notarization is not required if distributed through the App Store.

“Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized. However, you aren’t required to notarize software that you distribute through the Mac App Store because the App Store submission process already includes equivalent security checks.”

Source: Apple Developer’s documentation

Hardened Runtime environment is not required for Mac App Store distribution. Instead, App Sandbox Capability is required which BlueMail fully supports.

“To distribute a macOS app through the Mac App Store, you must enable the App Sandbox capability.”

Source: Apple Developer’s documentation

Distribution Outside of the App Store: 
To distribute outside of the App Store, Notarization is required in order skip the Gatekeeper warnings:

“Notarization is all about identifying and blocking malicious Mac software prior to distribution, without requiring App Review or the Mac App Store.”

Source: “All About Notarization”, Apple Developer’s video at WWDC19

However, we have asked to get back to the App Store, therefore it’s irrelevant for us. If we wanted to Notarize our app (and we do not), Hardened Runtime environment is required. Apple is asking us to enable Hardened Runtime environment for Mac App Store distribution. It’s yet another excuse of why not restoring BlueMail on the Mac App Store.

And last but not least: even if we wanted to distribute outside of the Mac App Store, Apple does not tell the whole truth:

“ we’ve adjusted the notarization prerequisites until January 2020:
You can now notarize Mac software that:
– Doesn’t have the Hardened Runtime capability enabled
– Has components not signed with your Developer ID.”

Source: Apple Developer’s News

And so, if we had to enable Hardened Runtime capability (and we do not!), Apple is asking us to do it 8 months after being expelled from the Mac App Store and merely 3 days before the deadline of end of January 2020.