macdeployqt: Add option for enabling hardened runtime

Hardened runtime will be required when code signing for
app notarization, at some point in the future.

[ChangeLog][macdeployqt] Added "-hardened-runtime" option to support app notarization.

Change-Id: I4a3686ae01366c1e78372bb3b5e725db8e8061fd
Reviewed-by: Morten Johan Sørvig <morten.sorvig@qt.io>

1 files changed, 11 insertions, 3 deletions

diff --git a/src/macdeployqt/shared/shared.cpp b/src/macdeployqt/shared/shared.cpp
index 69d0ce8ca..dd7b8359d 100644
--- a/src/macdeployqt/shared/shared.cpp
+++ b/src/macdeployqt/shared/shared.cpp
@@ -53,6 +53,7 @@ bool alwaysOwerwriteEnabled = false;
 bool runCodesign = false;
 QStringList librarySearchPath;
 QString codesignIdentiy;
+bool hardenedRuntime = false;
 bool appstoreCompliant = false;
 int logLevel = 1;
 bool deployFramework = false;
@@ -1371,11 +1372,18 @@ void codesignFile(const QString &identity, const QString &filePath)
     if (!runCodesign)
         return;
 
-    LogNormal() << "codesign" << filePath;
+    QString codeSignLogMessage = "codesign";
+    if (hardenedRuntime)
+        codeSignLogMessage += ", enable hardned runtime";
+    LogNormal() << codeSignLogMessage << filePath;
+
+    QStringList codeSignOptions = { "--preserve-metadata=identifier,entitlements", "--force", "-s",
+                                    identity, filePath };
+    if (hardenedRuntime)
+        codeSignOptions << "-o" << "runtime";
 
     QProcess codesign;
-    codesign.start("codesign", QStringList() << "--preserve-metadata=identifier,entitlements"
-                                             << "--force" << "-s" << identity << filePath);
+    codesign.start("codesign", codeSignOptions);
     codesign.waitForFinished(-1);
 
     QByteArray err = codesign.readAllStandardError();