Apple - Enabling "Hardened Runtime" from outside of XCode

This is documented by Apple for using the command line tools xcode-select, xcrun and altool

• https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow

sudo xcode-select -s /path/to/Xcode10.app

xcrun altool --notarize-app --primary-bundle-id "com.example.ote.zip" --username "AC_USERNAME" --password "@keychain:AC_PASSWORD" --file OvernightTextEditor_11.6.8.zip

So you should be able to incorporate this into whatever packaging or CI tools you use. We’ll be using this heavily at work as we start to dig into how we’ll need to notarize our various DIY toolsets and scripts.

This doesn’t exactly cover the hardening / entitlements, but I expect you’ll get JSON back from the notarization request that helps you craft the correct plist for your exceptions to the general hardening that is applied when the OS runs a notarized app.

Are you looking for codesign's --options runtime argument? I believe that's all you need to enable the hardened runtime.

Apple has a couple of documents that make it pretty easy to figure out your own notarization flow:

• https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow
• https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues