macdeployqt: Add option for enabling hardened runtime

Hardened runtime will be required when code signing for
app notarization, at some point in the future.

[ChangeLog][macdeployqt] Added "-hardened-runtime" option to support app notarization.

Change-Id: I4a3686ae01366c1e78372bb3b5e725db8e8061fd
Reviewed-by: Morten Johan Sørvig <morten.sorvig@qt.io>

2 files changed, 16 insertions, 3 deletions

diff --git a/src/macdeployqt/macdeployqt/main.cpp b/src/macdeployqt/macdeployqt/main.cpp
index 0599b739e..3c13a6693 100644
--- a/src/macdeployqt/macdeployqt/main.cpp
+++ b/src/macdeployqt/macdeployqt/main.cpp
@@ -52,6 +52,7 @@ int main(int argc, char **argv)
         qDebug() << "   -qmlimport=<path>  : Add the given path to the QML module search locations";
         qDebug() << "   -always-overwrite  : Copy files even if the target file exists";
         qDebug() << "   -codesign=<ident>  : Run codesign with the given identity on all executables";
+        qDebug() << "   -hardened-runtime  : Enable Hardened Runtime when code signing";
         qDebug() << "   -appstore-compliant: Skip deployment of components that use private API";
         qDebug() << "   -libpath=<path>    : Add the given path to the library search path";
         qDebug() << "   -fs=<filesystem>   : Set the filesystem used for the .dmg disk image (defaults to HFS+)";
@@ -96,6 +97,7 @@ int main(int argc, char **argv)
     QStringList qmlImportPaths;
     extern bool runCodesign;
     extern QString codesignIdentiy;
+    extern bool hardenedRuntime;
     extern bool appstoreCompliant;
     extern bool deployFramework;
 
@@ -164,6 +166,9 @@ int main(int argc, char **argv)
                 runCodesign = true;
                 codesignIdentiy = argument.mid(index+1);
             }
+        } else if (argument.startsWith(QByteArray("-hardened-runtime"))) {
+            LogDebug() << "Argument found:" << argument;
+            hardenedRuntime = true;
         } else if (argument == QByteArray("-appstore-compliant")) {
             LogDebug() << "Argument found:" << argument;
             appstoreCompliant = true;
diff --git a/src/macdeployqt/shared/shared.cpp b/src/macdeployqt/shared/shared.cpp
index 69d0ce8ca..dd7b8359d 100644
--- a/src/macdeployqt/shared/shared.cpp
+++ b/src/macdeployqt/shared/shared.cpp
@@ -53,6 +53,7 @@ bool alwaysOwerwriteEnabled = false;
 bool runCodesign = false;
 QStringList librarySearchPath;
 QString codesignIdentiy;
+bool hardenedRuntime = false;
 bool appstoreCompliant = false;
 int logLevel = 1;
 bool deployFramework = false;
@@ -1371,11 +1372,18 @@ void codesignFile(const QString &identity, const QString &filePath)
     if (!runCodesign)
         return;
 
-    LogNormal() << "codesign" << filePath;
+    QString codeSignLogMessage = "codesign";
+    if (hardenedRuntime)
+        codeSignLogMessage += ", enable hardned runtime";
+    LogNormal() << codeSignLogMessage << filePath;
+
+    QStringList codeSignOptions = { "--preserve-metadata=identifier,entitlements", "--force", "-s",
+                                    identity, filePath };
+    if (hardenedRuntime)
+        codeSignOptions << "-o" << "runtime";
 
     QProcess codesign;
-    codesign.start("codesign", QStringList() << "--preserve-metadata=identifier,entitlements"
-                                             << "--force" << "-s" << identity << filePath);
+    codesign.start("codesign", codeSignOptions);
     codesign.waitForFinished(-1);
 
     QByteArray err = codesign.readAllStandardError();