code signing blocked mmap() - how to find reason?


something went wrong with the code signing of my app, but I have not idea how to analyze this problem. I get the following error when launching my app:

dyld: Library not loaded: @rpath/QtSvg.framework/Versions/5/QtSvg
Referenced from: /Users/joachim/Programming/myapp-build-release/install/
Reason: no suitable image found.  Did find:
   /Users/joachim/Programming/myapp-build-release/install/ code signing blocked mmap() of '/Users/joachim/Programming/myapp-build-release/install/'
   /Users/joachim/Programming/myapp-build-release/install/ stat() failed with errno=1

All Frameworks and dylibs have been signed with

codesign --verbose --sign "$DEVID" -i $ID --timestamp $FRAMEWORK/Versions/Current/

The app bundle has been signed with

codesign --verbose --sign "$DEVID" --timestamp --options "runtime" --entitlements Entitlements.plist

with entitlement enabled.

"codesign --verify" reports "valid on disk" and "satisfies its Designated Requirement" for all libs and the executable and bundle. All libs have unique identifiers (-i), got a secure timestamp, and I'm not using "--deep" signing. Referencing the lib with "@executable_path/../Frameworks" instead of "@rpath" doesn't make any difference.

The error disappears if I add the entitlement or omit the hardened "runtime" option.

How can I check what exactly is blocking the library? Has "disable-library-validation" any drawbacks? Will I still be able to notarize the app?

7 Replies

It seems like you have already fixed it. The only downside is that it makes your app more vulnerable to hacking and other types of exploitation. Think piracy rather than security. It is pretty clear what is causing it - Qt. Easily 70% of ALL notarization problems are caused by Qt.

Disable Library Validation Entitlement: "the app may load arbitrary plug-ins or frameworks, without requiring code signing"

... but all libs of my app bundle are code signed. I would like to know which unsigned lib triggers this problem.

You're right, deployment of Qt applications on macOS is a pain. If I'm using the prebuilt libs provided by the Qt company everything works fine. If I'm building the Qt libraries on my own (which is required in my project...) I get the mmap code sign error. So I'm quite sure that there must be solution without disabling library validation.

Has "disable-library-validation" any drawbacks?

Yes. Library validation is an important security feature (it prevents a whole world of exploits that involve loading malicious code into your process) and thus disabling it decreases security.

Will I still be able to notarize the app?


How can I check what exactly is blocking the library?

This can be quite tricky. First up, when version of macOS are you testing this on?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""

Review how your build scripts are different than the official ones for the Mac.

I found this link:

It seems to suggest that there is some SVG functionality that is associated with mmap() on Linux. Your build scripts may be enabling this code whereas the Qt builds omit it from the Mac platform. That's just a guess though. Building open source projects for the Mac can be really tricky. In some cases, it works better if there isn't an official Mac version. The "Mac code" is sometimes really hacked up with macros so it would build properly the last time someone worked on it for 10.5.

I'm building and testing the software with the latest macOS (10.15.4) running on the latest iMac, xCode is is up-to-date, too.

jogri emailed me a copy of their app, so I took a rummage inside.

To start, looking at the system log at the time of the failure revealed this:

type: error
time: 2020-05-05 21:53:29.092534 +0100
process: kernel
message: Library Validation failed: Rejecting '/Applications/' (Team ID: none, platform: no) for process 'MyApp(581)' (Team ID: …, platform: no), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.

Clearly there’s something broken about the signature of the QtSvg framework. Let’s check that:

% codesign -v -vvv /Volumes/MyApp/                 
/Volumes/MyApp/ valid on disk
/Volumes/MyApp/ satisfies its Designated Requirement
% codesign -d -vvv --entitlements :- /Volumes/MyApp/
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=2772 flags=0x0(none) hashes=81+3 location=embedded
Library validation warning=OS X SDK version before 10.9 does not support Library Validation
Hash type=sha256 size=32
CandidateCDHash sha256=e56113692b37fc138535c8f817e0f7479512cc7e
CandidateCDHashFull sha256=e56113692b37fc138535c8f817e0f7479512cc7ea496b807cd590f06fe70b566
Hash choices=sha256
Signature size=8929
Authority=Developer ID Application: …
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=5 May 2020 at 10:37:28
Info.plist entries=7
Sealed Resources version=2 rules=13 files=3
Internal requirements count=1 size=180

So the library has a code signature but the system is refusing to load it. I’ve seen that before, and it’s actually hinted at by the warning on line 9 above, namely

Library validation warning=OS X SDK version before 10.9 does not support Library Validation

Consider this:

% otool -l /Volumes/MyApp/ | grep -B 1 -A 3 LC_VERSION_MIN_MACOSX
Load command 8
  cmdsize 16
  version 10.13
      sdk n/a

This library has a deployment target but no SDK version. That’s weird, and also problematic. The macOS code signing architecture changed in macOS 10.9, so certain code signing features are only available in 10.9 and later. The hardened runtime requires those features, and it checks for their presence by checking for your SDK version. This, btw, is the reason why notarisation requires a 10.9 or later SDK.

In short, your library has a bogus SDK value, which means that the hardened runtime is refusing to load it even though it’s signed correctly. Once you fix your SDK linkage, this problem should go away.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + ""

You're right, the missing SDK version was the reason that triggered the error when launching the app. Quinn, thanks a lot for your help!

An error message like "Library rejected due to missing or outdated SDK version" instead of "code signing blocked mmap()" would have saved me a lot of time...

Two months ago I was able to create a lib with valid SDK version using these clang calls:

/Applications/ \
-c \
-isysroot /Applications/ \
-mmacosx-version-min=10.13 \
-o test.o \

/Applications/ \
-Wl,-syslibroot,/Applications/ \
-mmacosx-version-min=10.13 \
-dynamiclib \
-o TestLib \

On my current system (I guess there was an Xcode update in the meantime?) the test.o still has "sdk 10.15.4" set, but the linker (second clang call) drops the SDK version. To fix this, I have to pass "-isysroot ..." to the linker call. Or I have to set the SDKROOT environment variable, or I have to launch the build process with "xcrun --sdk macos ...".

I've thought I can pass the SDK version as "syslibroot" to the linker, but maybe I'm wrong. I'm missing a good documentation how to build software on command line, without Xcode.