How to codesign and enable the hardened runtime for a 3rd-party CLI on Xcode?

Question

My project needs the Ghostscript to do lots of tasks, so I have added the gs CLI tool into my project resource. However when I tried to notarize the project application, Xcode shows me this:

I assume that might because the ghostscript portable CLI is a 3rd-party program from the internet and which doesn't have a codesign, also it has not been enabled the hardened runtime. On the latest MacOS Mojave I have to notarize applications to avoid the gatekeeper shows warnings during the user opens the DMG file. But it seems the notarizing is hard to pass if the application contains a 3rd-party CLI.

Is there a solution for this?

Answer 1

I found the solution finally. Sign the CLI this way:

codesign --force --options runtime --sign "Developer ID Application: COMPANYNAME" ./CLITool

Then I successfully archived the Application and uploaded to Apple to notarize.

Answer 2

The enable hardened runtime is achieved via --options runtime.

I found this guide to be very helpful with the notarization and code signing process for app distribution outside the mac store.

I had an issue with my app crashing after enabling hardened runtime for it tho. This comment and this other one helped me with my issue at the time.