[question] How to build C++ project with Apple Hardened Runtime enabled?

[stephane-archer]

What is your question?

Hi!
I need to build my project with the Apple Hardened Runtime enabled.
How to do that?
My current build steps are currently:

conan install . --build=missing
cmake --preset conan-release
cmake --build --preset conan-release

Have you read the CONTRIBUTING guide?

• I've read the CONTRIBUTING guide

[memsharded]

Hi @stephane-archer

Thanks for your question.

Conan is not really a build system, but a package manager that wraps any build system and calls it.

So the way to change build-system properties, like this one, depends on the build system. Conan has several mechanisms to inject behavior into dependencies build systems, but that is limited to those build systems interfaces capabilities.

• Is there a C++ flag that we can inject, lets say with the Conan tools.build:cxxflags conf to dependencies?
• How would you enable such behavior for example in CMake? Conan allows to inject CMake toolchains into dependencies for example via tools.cmake.cmaketoolchain:user_toolchain conf too.
• What are your dependencies, which build systems do they use? How would that apple hardened runtime be enabled in those build systems?

[stephane-archer]

Hi @memsharded, thank you for your answer.
I'm new to conan, I understand that it's a package manager but from my understanding, it also generates config files for the build system.
Here my build system is cmake:

cmake --preset conan-release
cmake --build --preset conan-release

from my understanding, this should be set to the cmake config generated by conan:

set_property(TARGET target PROPERTY XCODE_ATTRIBUTE_ENABLE_HARDENED_RUNTIME YES)

for more info have a look at:
https://stackoverflow.com/questions/56023947/cmake-xcode-generator-add-capability-hardened-runtime

Do you know how can I set up this property?

[memsharded]

I'm new to conan, I understand that it's a package manager but from my understanding, it also generates config files for the build system.

It generates files for the build system in 2 dimensions:

• "Deps": Information to locate the dependencies, and to be able to consume them (includedirs, libdirs, library names, etc)
• "Toolchain": Minimal information to the current build to align with the dependencies binaries

It doesn't aim to be a build-system abstractor or meta-build system that can command any build system to do anything.

set_property(TARGET target PROPERTY XCODE_ATTRIBUTE_ENABLE_HARDENED_RUNTIME YES)

But if target is a target of your current project, in your CMakeLists.txt there is nothing Conan can do to set such a property. Only you can do it adding it to your CMakeLists.txt. The information that Conan passes to the build is mostly -DCMAKE_TOOLCHAIN_FILE=.../conan_toolchan.cmake, but that is a toolchain file, it is processed way before your targets are defined, so it is impossible for Conan to define such a property for your target.

[stephane-archer]

@memsharded Thank you for your explanation, it's much clearer now that conan does with cmake.

[stephane-archer]

@memsharded

conan install . --build=missing
cmake --preset conan-release
cmake --build --preset conan-release

this works perfectly, but for what I am trying to achieve I think I need to build with Xcode, not Cmake.
but this version doesn't seem to work:

conan install . --build=missing
cmake --preset conan-release  -G Xcode
open build/Release/target.xcodeproj

but when building I got the following error:

#include <Eigen/Dense> file not found

so it looks like the Xcode project doesn't get the conan path info?
Do you have any idea what I'm doing wrong?

[SpaceIm]

conan install . --build=missing
cmake --preset conan-release
cmake --build --preset conan-release

this works perfectly, but for what I am trying to achieve I think I need to build with Xcode, not Cmake.

CMake doesn't build anything, it's a meta build system (like Meson or Autotools). Xcode, Make, Ninja, MSBuild, NMake are build systems. CMake generates build files for a specific build system, by default for Make on macOS (Unix Makefiles generator in CMake terminology: https://cmake.org/cmake/help/latest/manual/cmake-generators.7.html). cmake --build is an abstraction calling appropriate build system depending on build systems files which have been generated in current directory.
If you want to switch to Xcode build system for your own project, you have to tell CMake to generate build files for Xcode during CMake configuration (-G Xcode). It can also be enforced by conan with -c tools.cmake.cmaketoolchain:generator=Xcode during conan install (all dependencies will be built with Xcode, and Xcode generator will be enforced in preset file for your consumer project, so no need to explicitly add -G Xcode during cmake configuration).

[stephane-archer]

@SpaceIm thank you for clarifying, this makes more sense to me now.
For my project this work (using make):

conan install . --build=missing
cmake --preset conan-release
cmake --build --preset conan-release

but when using Xcode

conan install . --build=missing
cmake --preset conan-release -G Xcode
cmake --build --preset conan-release

I get the following error:

include/FileIO/CubeLUT.hpp:3:10: fatal error: 'Eigen/Dense' file not found
#include <Eigen/Dense>

Eigen has been installed with conan at the conan install . --build=missing step.
so it seems like cmake is unable to generate a config with conan include path for Xcode?
Is there anything I do wrong? How can I help Xcode find conan include path?

[stephane-archer]

conan install . --build=missing -c tools.cmake.cmaketoolchain:generator=Xcode
cmake --preset conan-default -G Xcode
cmake --build --preset conan-release

create a successful build! I was able to solve my problem using these build commands!
I'm not sure why the preset changed name during the second step and why this is working over the previous Xcode way of building the program.

[SpaceIm]

FYI, hardening is done by Xcode through codesign utility under the hood. So if for some reason you don't build with Xcode, but let's say Ninja or Make, you can manually sign your application with codesign as a post-process: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
But don't expect most build systems or meta build systems to abstract away such thing.

[stephane-archer]

@SpaceIm, is using codesign on the final binary enough to have "Apple Hardened Runtime"?
The name of the feature feels misleading if the process is just signing the binary...

[SpaceIm]

https://stackoverflow.com/questions/52905940/how-to-codesign-and-enable-the-hardened-runtime-for-a-3rd-party-cli-on-xcode

[stephane-archer]

@SpaceIm so if I understand correctly:

conan install . --build=missing
cmake --preset conan-release
cmake --build --preset conan-release
codesign  --options=runtime -s identity ./mybin

would generate a binary with Apple Hardened Runtime enabled
and

conan install . --build=missing -c tools.cmake.cmaketoolchain:generator=Xcode
cmake --preset conan-default -G Xcode
cmake --build --preset conan-release

would do too, the only difference would be that the first one use make and the second one uses Xcode for the build system
Is it correct?