Using Squish to automate macOS applications built with the 'Hardened Runtime'

Last edited on

What is a Hardened Runtime AUT?

macOS 10.14 and Xcode 10 introduce a new feature called ‘Hardened Runtime’. It is intended to enhance the security of applications by disabling/disallowing various kinds of loading third-party executable code into the AUT - such as Squish libraries.

It effectively disables various features commonly exploited in security breaches.

The exact set of features (Apple calls them ‘entitlements’) is configured when compiling the application. See the Apple page on Hardened Runtime Entitlements on how to do this.

Which entitlements Squish needs

To make Squish work, two entitlements need to be checked:

This affects both Squish for Qt and Squish for Mac since they’re using the same mechanism for non-intrusive hooking. With Squish for Qt, an alternative may be using the built-in hook and code-signing all Squish libraries that are being loaded into the AUT with your own certificate.

How to tell if an AUT is hardened?

First, Squish will be unable to attach to your AUT. If you are unable to ask the developer, it is possible to check using command line tools provided by Xcode. First, make sure Xcode is installed with the command line tools, and issue the following command,using the path to your own AUT instead of

codesign -d -vv /Applications/

This command produces an output that looks something like this:

Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=1475 flags=0x0(none) hashes=39+5 location=embedded
Platform identifier=7
Signature size=4485
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=33
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=479
Internal requirements count=1 size=68

In the output look for the line starting with ‘CodeDirectory’. The ‘flags’ entry indicates which flags have been enabled. If the ‘runtime’ flag (0x10000) is present that means the application uses the hardened runtime feature. If it is not set - like in the example output above - the application does not use the hardened runtime.

To find out which entitlements are already enabled in your AUT, you can execute a command like this:

codesign -d --entitlements - /Applications/

This produces output in the form of a plist file that looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "">
<plist version="1.0">

In this output, check if the keys and exist and are set to true. If they’re missing or set to false hooking with Squish will fail.

Code-Signing to add entitlements

With XCode, it is possible to sign an executable manually, with your own developer certificate, to give it new entitlements. The links below explain how: