Hardened runtime is a set of macOS runtime protections you opt a binary into by signing it with codesign --options runtime. It is required for Apple's notary service to accept a Mac app, and it changes what the binary is allowed to do at runtime in ways that occasionally break legitimate apps if you do not opt back into the relevant entitlements.
What it blocks
- Execution of unsigned memory pages (no JIT unless you add
com.apple.security.cs.allow-jit). - Loading of frameworks not signed by the same Team ID, unless you add
com.apple.security.cs.disable-library-validation. - Debugger attachment without
com.apple.security.get-task-allow(which is incompatible with notarization, so dev-only). - Dyld environment variables (
DYLD_INSERT_LIBRARIESand friends) being honored. - Inheritance of file-descriptor and address-space privileges from launchd-only contexts.
When you have to add an entitlement
- com.apple.security.cs.allow-jit
- JavaScript engines, emulators, anything that compiles code at runtime.
- com.apple.security.cs.disable-library-validation
- Apps that load third-party plug-ins (DAWs, IDEs, Photoshop-style plug-in hosts).
- com.apple.security.cs.allow-unsigned-executable-memory
- A broader version of allow-jit. Use only if you really need it.
- com.apple.security.cs.allow-dyld-environment-variables
- Apps that test themselves under instrumentation tools at runtime.