"Possible race detected. Rejecting." on dlopen(). How to debug?

So I'm building the macOS app, which includes a framework which embeds Python code. Some of the Python modules do dynamically load shared objects. I have put the shared objects under "PlugIns", and there are symlinks from the location where Python expects them to be. I.e.:

Python tries to mmap the object from:


but this is actually a symlink to:

Both the framework and app are codesigned:

% codesign -v -vvv ./MySampleApp.app/
  • -prepared:/Users/piotr/MySampleApp.app/Contents/MacOS/wl-cli

  • -validated:/Users/piotr/MySampleApp.app/Contents/MacOS/wl-cli

  • -prepared:/Users/piotr/MySampleApp.app/Contents/Library/LoginItems/wlclientd.app

  • -validated:/Users/piotr/MySampleApp.app/Contents/Library/LoginItems/wlclientd.app

  • -prepared:/Users/piotr/MySampleApp.app/Contents/Frameworks/MySample.framework/Versions/Current/.

  • -validated:/Users/piotr/MySampleApp.app/Contents/Frameworks/MySample.framework/Versions/Current/.

./MySampleApp.app/: valid on disk
./MySampleApp.app/: satisfies its Designated Requirement

When Python tries to run its code howerer, it fails with the following error message:

dlopen(MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so, 2): no suitable image found. Did find:
MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so: code signing blocked mmap() of 'MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so'

Furthermore, at the time it happens I see the following message in system log:

default 09:13:25.897428+0200 kernel MySampleApp.app/Contents/Frameworks/MySample.framework/Versions/A/PlugIns/site-packages/lxml/etree.cpython-39-darwin.so: Possible race detected. Rejecting.

What does this message mean exactly and how can I identify the cause of the issue? The same code runs without problems when I disable system integrity protection. The app is not designed for sandboxing. Hardened runtime is enabled.


Additional observation is that disabling library validation in hardened runtime settings allows my code to launch. I would rather avoid having this setting on (all dynamic libraries are included in the application bundle and there is no reason to expect that their binaries should change).
Is this image (etree.cpython-39-darwin.so) built against a modern macOS SDK (10.9 or later)?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"