Hardened runtime is a set of macOS runtime protections you opt a binary into by signing it with `codesign --options runtime`. It is required for Apple's notary service to accept a Mac app, and it changes what the binary is allowed to do at runtime in ways that occasionally break legitimate apps if you do not opt back into the relevant entitlements.
What it blocks
- Execution of unsigned memory pages (no JIT unless you add `com.apple.security.cs.allow-jit`).
- Loading of frameworks not signed by the same Team ID, unless you add `com.apple.security.cs.disable-library-validation`.
- Debugger attachment without `com.apple.security.get-task-allow` (which is incompatible with notarization, so dev-only).
- Dyld environment variables (`DYLD_INSERT_LIBRARIES` and friends) being honored.
- Inheritance of file-descriptor and address-space privileges from launchd-only contexts.
When you have to add an entitlement
- com.apple.security.cs.allow-jit
- JavaScript engines, emulators, anything that compiles code at runtime.
- com.apple.security.cs.disable-library-validation
- Apps that load third-party plug-ins (DAWs, IDEs, Photoshop-style plug-in hosts).
- com.apple.security.cs.allow-unsigned-executable-memory
- A broader version of allow-jit. Use only if you really need it.
- com.apple.security.cs.allow-dyld-environment-variables
- Apps that test themselves under instrumentation tools at runtime.