Notarized app not able to load dynamic library signed by another team

We have an app company.app and it is loading dynamic library from a thirdparty vendor - let's call it vendor.dylib.


company.app is signed by our organisation's developer ID certificate. We have notarized company.app with hardened runtime enabled.

vendor.dylib is signed and notarised by vendor's certificate.


Now, when company.app tries to load the dylib using dlopen, we get an error "not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs"



I read about disabling library validation entitlement https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation?language=objc and https://forums.developer.apple.com/thread/126895


I added this in the info.plist file

<key>com.apple.security.cs.disable-library-validation</key>

<true/>


After building the app and notarising it, i can still see the value com.apple.security.cs.disable-library-validation set to true in the final app's Info.plist.


Yet, i get the same error "not valid for use....... mapped file have different Team IDs". It's as if 'disabling library validation entitlement' didn't take effect.


Any pointers how to go about this?


Note : I cannot opt for a solution where we take vendor.dylib and sign it with our certificate because even though it does seem to solve the loading problem, the vendor's code itself is doing some checksum verification which breaks if vendor.dylib is re-signed with our cert.

Solved Answer

Two things:

  • Check that your disabling of library validation is actually working. Run your app and then run

    codesign
    against the process. For example:
    % codesign -d -vvv --entitlements :- `pgrep TextEdit`

    .

  • Check that the library was built with the macOS 10.9 SDK or later. Without that, you won’t be able to load it into a hardened runtime process. A good start here is

    otool
    :
    % otool -l /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration| grep -B 1 -A 4 VERSION

    You want to look for either a

    LC_VERSION_MIN_MACOSX
    or
    LC_BUILD_VERSION
    load command and then check the
    sdk
    field in that.

    After that, make sure that the code signature contains

    sha256
    hashes. For example:
    % codesign -d -vvv /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

    It’s OK if it has

    sha1
    hashes as well but you have to have
    sha256
    to be compatible with the hardened runtime.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

4 Replies

Two things:

  • Check that your disabling of library validation is actually working. Run your app and then run

    codesign
    against the process. For example:
    % codesign -d -vvv --entitlements :- `pgrep TextEdit`

    .

  • Check that the library was built with the macOS 10.9 SDK or later. Without that, you won’t be able to load it into a hardened runtime process. A good start here is

    otool
    :
    % otool -l /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration| grep -B 1 -A 4 VERSION

    You want to look for either a

    LC_VERSION_MIN_MACOSX
    or
    LC_BUILD_VERSION
    load command and then check the
    sdk
    field in that.

    After that, make sure that the code signature contains

    sha256
    hashes. For example:
    % codesign -d -vvv /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

    It’s OK if it has

    sha1
    hashes as well but you have to have
    sha256
    to be compatible with the hardened runtime.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn, thanks for the reply.


1. I executed the codesign against the process and i don't see an explicit output for the entitlement com.apple.security.cs.disable-library-validation. However i can see that int company.app/Contents/Info.plist theentries count has increased and if i open the plsit file, i can see com.apple.security.cs.disable-library-validation as true.


2. LC_VERSION_MIN_MACOSX of the vendor dylibs are 10.9 along with SDK version of 10.13. LC_VERSION_MIN_MACOSX of our app executable is 10.10 with SDK of 10.14 - so, all good here.


3. Both the vendor dylib and our app have sha1 as well as sha256 - Hash choices=sha1,sha256


I'm copy pasting the output of codesign run against the process :


Executable=XYZ.app/Contents/MacOS/XYZ

Identifier=XYZ

Format=app bundle with Mach-O thin (x86_64)

CodeDirectory v=20500 size=16841 flags=0x10000(runtime) hashes=519+3 location=embedded

VersionPlatform=1

VersionMin=657920

VersionSDK=658944

Hash type=sha256 size=32

CandidateCDHash sha1=f5f01417e803369a70d5b071fced1617486fb712

CandidateCDHash sha256=f6cfb15a010687b5afed942507541c3aa0dc047c

Hash choices=sha1,sha256

Page size=4096

CDHash=f6cfb15a010687b5afed942507541c3aa0dc047c

Signature size=9075

Authority=Developer ID Application: XYZ

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Timestamp=31-May-2020 at 1:35:59 AM

Info.plist entries=26

TeamIdentifier=XYZ

Runtime Version=10.14.0

Sealed Resources version=2 rules=13 files=22

Internal requirements count=1 size=192



Our build process is summarised as :

1. The plist file is named as company-Info.plist and the same name is given in "Build Settings". All options of "Capabilities" in Xcode's project are OFF, including Hardened Runtime

2. I added <key>com.apple.security.cs.disable-library-validation</key>

<true/> to the company-Info.plist file.

3. Build using xcodebuild commandline.

4. Sign the .app file using "sudo codesign -f --options runtime -s "CERTIFICATE" ./company.app --deep.

5. productsign, notarise etc

I just realised - the option has to be given in entitlement file and won't take effect if we add it to plist file!


So, I have to create an entitlement file and give that as an option in codesign command and that shoudl work.

Will try this out and let you know.