From 6828cd0a83d5e8d0ca1f597a7c5aaf1a6eb12b07 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Oct 2025 18:19:54 +0000 Subject: [PATCH 01/12] Initial plan From 7676183b0014b663d66177dd121b8537697edacc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Oct 2025 18:25:11 +0000 Subject: [PATCH 02/12] Add Mac OS publishing documentation Co-authored-by: agocke <515774+agocke@users.noreply.github.com> --- docs/core/deploying/macos.md | 44 ++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 docs/core/deploying/macos.md diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md new file mode 100644 index 0000000000000..bb942185d41c9 --- /dev/null +++ b/docs/core/deploying/macos.md @@ -0,0 +1,44 @@ +--- +title: Publish .NET apps for Mac OS +description: Learn how to publish .NET applications for Mac OS, including signing, notarization, and app entitlements. +author: agocke +ms.author: angocke +ms.date: 10/22/2025 +ms.topic: how-to +ai-usage: ai-assisted +--- + +# Publish .NET apps for Mac OS + +Publishing .NET applications for Mac OS requires several additional steps compared to other platforms, due to Apple's security requirements. + +## Prerequisites + +Before you publish your .NET application for Mac OS, ensure you have the following: + +- **Apple Developer Account**: Needed for code signing and notarization. +- **Xcode Command Line Tools**: Provides `codesign`, `altool`, and other utilities. +- **.NET SDK**: Ensure you have the latest .NET SDK installed. + +## Publish your app + +Use one of the methods described in the [.NET application publishing overview](index.md) to produce an application. You can create either a framework-dependent or self-contained application. + +## Apphost and entry point + +.NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. + +### Entitlements for CoreCLR apps + +For CoreCLR apps, the `com.apple.security.cs.allow-jit` entitlement is required. + +### Entitlements for Native AOT apps + +For Native AOT apps, no entitlements are required. + +## Sign and notarize + +Use Apple's developer documentation to sign and notarize the binary. + +> [!WARNING] +> Failing to sign and notarize your app might result in users seeing security warnings or being unable to launch your application. From 18f8a4177afa8fc32fd8d98a27d5734d32f377a8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Oct 2025 18:34:57 +0000 Subject: [PATCH 03/12] Update warning message about unsigned apps Co-authored-by: agocke <515774+agocke@users.noreply.github.com> --- docs/core/deploying/macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index bb942185d41c9..2a782137ceb5e 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -41,4 +41,4 @@ For Native AOT apps, no entitlements are required. Use Apple's developer documentation to sign and notarize the binary. > [!WARNING] -> Failing to sign and notarize your app might result in users seeing security warnings or being unable to launch your application. +> Failing to sign and notarize your app might result in the application crashing while executing a restricted operation. From 115eefce4bf5338e3824547e8123b68745c45047 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 22 Oct 2025 20:53:07 +0000 Subject: [PATCH 04/12] Fix macOS branding and add debugging entitlements Co-authored-by: agocke <515774+agocke@users.noreply.github.com> --- docs/core/deploying/macos.md | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index 2a782137ceb5e..2a52c5825eb84 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -1,6 +1,6 @@ --- -title: Publish .NET apps for Mac OS -description: Learn how to publish .NET applications for Mac OS, including signing, notarization, and app entitlements. +title: Publish .NET apps for macOS +description: Learn how to publish .NET applications for macOS, including signing, notarization, and app entitlements. author: agocke ms.author: angocke ms.date: 10/22/2025 @@ -8,13 +8,13 @@ ms.topic: how-to ai-usage: ai-assisted --- -# Publish .NET apps for Mac OS +# Publish .NET apps for macOS -Publishing .NET applications for Mac OS requires several additional steps compared to other platforms, due to Apple's security requirements. +Publishing .NET applications for macOS requires several additional steps compared to other platforms, due to Apple's security requirements. ## Prerequisites -Before you publish your .NET application for Mac OS, ensure you have the following: +Before you publish your .NET application for macOS, ensure you have the following: - **Apple Developer Account**: Needed for code signing and notarization. - **Xcode Command Line Tools**: Provides `codesign`, `altool`, and other utilities. @@ -36,6 +36,13 @@ For CoreCLR apps, the `com.apple.security.cs.allow-jit` entitlement is required. For Native AOT apps, no entitlements are required. +### Optional entitlements for debugging and diagnostics + +The following entitlements enable additional debugging and diagnostic capabilities: + +- **`com.apple.security.get-task-allow`**: Needed for dump collection with `createdump` and `dotnet dump`. +- **`com.apple.security.cs.debugger`**: Needed to attach a debugger to the process. + ## Sign and notarize Use Apple's developer documentation to sign and notarize the binary. From e18a988a2a83e9206c5bc86a4c11dd5fa5754d07 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 23 Oct 2025 15:58:04 +0000 Subject: [PATCH 05/12] Add links to publishing overview and Apple notarization docs Co-authored-by: agocke <515774+agocke@users.noreply.github.com> --- docs/core/deploying/macos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index 2a52c5825eb84..c8fd6a7c89090 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -22,7 +22,7 @@ Before you publish your .NET application for macOS, ensure you have the followin ## Publish your app -Use one of the methods described in the [.NET application publishing overview](index.md) to produce an application. You can create either a framework-dependent or self-contained application. +Use one of the methods described in the [.NET application publishing overview](/dotnet/core/deploying/) to produce an application. You can create either a framework-dependent or self-contained application. ## Apphost and entry point @@ -45,7 +45,7 @@ The following entitlements enable additional debugging and diagnostic capabiliti ## Sign and notarize -Use Apple's developer documentation to sign and notarize the binary. +Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the binary. > [!WARNING] > Failing to sign and notarize your app might result in the application crashing while executing a restricted operation. From e97042ec94945e9c3a6c06313ffd399fbe32c2cb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Oct 2025 19:06:55 +0000 Subject: [PATCH 06/12] Clarify Native AOT terminology and add links Co-authored-by: jkotas <6668460+jkotas@users.noreply.github.com> --- docs/core/deploying/macos.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index c8fd6a7c89090..152e342040461 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -28,13 +28,13 @@ Use one of the methods described in the [.NET application publishing overview](/ .NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. -### Entitlements for CoreCLR apps +### Entitlements for apps not published as Native AOT -For CoreCLR apps, the `com.apple.security.cs.allow-jit` entitlement is required. +For apps not published as [Native AOT](native-aot/index.md), the `com.apple.security.cs.allow-jit` entitlement is required. -### Entitlements for Native AOT apps +### Entitlements for apps published as Native AOT -For Native AOT apps, no entitlements are required. +For apps published as [Native AOT](native-aot/index.md), no entitlements are required. ### Optional entitlements for debugging and diagnostics From add12d62cae426ddb0e79e29744c088fec91d4cd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 24 Oct 2025 22:45:17 +0000 Subject: [PATCH 07/12] Reorganize signing section structure Co-authored-by: jkotas <6668460+jkotas@users.noreply.github.com> --- docs/core/deploying/macos.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index 152e342040461..fed11eab7433e 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -24,7 +24,7 @@ Before you publish your .NET application for macOS, ensure you have the followin Use one of the methods described in the [.NET application publishing overview](/dotnet/core/deploying/) to produce an application. You can create either a framework-dependent or self-contained application. -## Apphost and entry point +## Sign and notarize your app .NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. @@ -43,7 +43,7 @@ The following entitlements enable additional debugging and diagnostic capabiliti - **`com.apple.security.get-task-allow`**: Needed for dump collection with `createdump` and `dotnet dump`. - **`com.apple.security.cs.debugger`**: Needed to attach a debugger to the process. -## Sign and notarize +### Sign and notarize the binary Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the binary. From 903e876112c803ec01c8725f6b1cb869cf58da32 Mon Sep 17 00:00:00 2001 From: Jan Kotas Date: Fri, 24 Oct 2025 15:56:09 -0700 Subject: [PATCH 08/12] Apply suggestions from code review --- docs/core/deploying/macos.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index fed11eab7433e..e625620502570 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -26,7 +26,7 @@ Use one of the methods described in the [.NET application publishing overview](/ ## Sign and notarize your app -.NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. +.NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the binary. ### Entitlements for apps not published as Native AOT @@ -43,9 +43,5 @@ The following entitlements enable additional debugging and diagnostic capabiliti - **`com.apple.security.get-task-allow`**: Needed for dump collection with `createdump` and `dotnet dump`. - **`com.apple.security.cs.debugger`**: Needed to attach a debugger to the process. -### Sign and notarize the binary - -Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the binary. - > [!WARNING] > Failing to sign and notarize your app might result in the application crashing while executing a restricted operation. From 214af4ec5f925b69f9c0d490220fcf17f3122b2c Mon Sep 17 00:00:00 2001 From: Jan Kotas Date: Fri, 24 Oct 2025 15:59:21 -0700 Subject: [PATCH 09/12] Update docs/core/deploying/macos.md --- docs/core/deploying/macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index e625620502570..fb194c57998dc 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -20,7 +20,7 @@ Before you publish your .NET application for macOS, ensure you have the followin - **Xcode Command Line Tools**: Provides `codesign`, `altool`, and other utilities. - **.NET SDK**: Ensure you have the latest .NET SDK installed. -## Publish your app +## Produce your app using .NET SDK Use one of the methods described in the [.NET application publishing overview](/dotnet/core/deploying/) to produce an application. You can create either a framework-dependent or self-contained application. From 279c5febb03535e676283bb2c2179e50860fa69b Mon Sep 17 00:00:00 2001 From: Jan Kotas Date: Fri, 24 Oct 2025 16:01:47 -0700 Subject: [PATCH 10/12] Update docs/core/deploying/macos.md --- docs/core/deploying/macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index fb194c57998dc..cd42b3bb050a5 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -26,7 +26,7 @@ Use one of the methods described in the [.NET application publishing overview](/ ## Sign and notarize your app -.NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the binary. +.NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the app binaries. ### Entitlements for apps not published as Native AOT From fd0e3fc8cc1510ef4835aaf166646bed2d9708cb Mon Sep 17 00:00:00 2001 From: Jan Kotas Date: Fri, 24 Oct 2025 16:02:14 -0700 Subject: [PATCH 11/12] Update docs/core/deploying/macos.md --- docs/core/deploying/macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index cd42b3bb050a5..5b3d210e85978 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -26,7 +26,7 @@ Use one of the methods described in the [.NET application publishing overview](/ ## Sign and notarize your app -.NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the app binaries. +.NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the app native binaries. ### Entitlements for apps not published as Native AOT From 0ea5991321ec4d7a5589f1847df40637a9c7496c Mon Sep 17 00:00:00 2001 From: Jan Kotas Date: Fri, 24 Oct 2025 16:03:06 -0700 Subject: [PATCH 12/12] Update docs/core/deploying/macos.md --- docs/core/deploying/macos.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/core/deploying/macos.md b/docs/core/deploying/macos.md index 5b3d210e85978..fcf27c97210c8 100644 --- a/docs/core/deploying/macos.md +++ b/docs/core/deploying/macos.md @@ -26,7 +26,7 @@ Use one of the methods described in the [.NET application publishing overview](/ ## Sign and notarize your app -.NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the app native binaries. +Use [Apple's developer documentation](https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution) to sign and notarize the app native binaries. .NET creates a native *apphost* executable as the entry point for your app. This apphost must be signed and, if your app uses special capabilities, it must be assigned the appropriate **entitlements**. ### Entitlements for apps not published as Native AOT