We plan to enable Hardened Runtime on official Mac builds (bug 1470597) which will turn on some new runtime security protections. Enabling Hardened Runtime requires signing the build with new options and entitlements. In order to make try builds and local developer builds have the same security protections as our official builds, we need to run codesign on those builds and enable Hardened Runtime. Running codesign requires a signing identity and we may be able to create a self-signed cert for this purpose automatically during the build. This bug is filed to cover the work needed to determine how to automate signing builds during local and try builds.

Hardened Runtime is a 10.14 feature (as in the security protections only work on 10.14+) so until we have 10.14+ running on our try hardware, there isn't much motivation to support this on our Linux build machines. It would be beneficial for developers working on 10.14+ machines though. Perhaps the two should be split into different bugs.

Try should be covered by the work in bug 1471004, but not local builds.