Dlopen fails after the app is signed successfully, and the error message "image not found"

My application will use dlopen to load a third-party dynamic library in the directory of "/ usr / local / lib". The dynamic library is installed in another app of our company.
Now we have a problem. After signing with the codesign command, dlopen will fail, and the output error message is "image not found".
Does the latest signature mechanism still support this situation? Do you need to add any parameters or permissions when signing?
Up vote post of bihong Down vote post of bihong
1.2k views
Posted by
bihong
Reply
Add a Comment

Replies

This boils down to whether library validation is enabled. If it is, dyld will only load code that’s signed by Apple or signed by your team.

Library validation is enabled in one of two \[1\] circumstances:

  • It’s implicitly enabled by the hardened runtime.

  • You can explicitly enabled it by passing library to the -o parameter of codesign.

In the hardened runtime case you can opt out of library validation with an exception entitlement but I recommend against that.

So, the first thing I’d check is whether your app and this library are signed by the same team. To do this, dump the code signature using:

Code Block  
% codesign -d -vv /path/to/your/code


Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

\[1\] Actually, there’s a third: It’s enabled by default for all platform code, that is, all code built in to the OS.
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
Thank you for your reply.

Our app and the library to load are signed with the same certificate.

Now, if you pass in an absolute path when calling dlopen, you can load and use it normally.

Is the signed app not having an environment variable pointing to the '/usr/local/lib' directory?

If so, is there any way to fix it?
Posted by
bihong
Up vote reply of bihong Down vote reply of bihong
Add a Comment

Our app and the library to load are signed with the same certificate.

Cool.

Now, if you pass in an absolute path when calling dlopen, you can load
and use it normally.

OK, then that’s what I recommend. IIRC the hardened runtime also puts limits on the dyld search path. I don’t think there’s a way to opt out of that, but I don’t think you should be opting out of it anyway. If you’re going to load a library into your app, it’s best to know in advance what library that is rather than relying on the evolving behaviour of the dyld search path.

Although, just to be clear, library validation will prevent you from loading a malicious library.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment