App crash with entitlements

Hi forum!

I'm a n00b in apple development, so I apologise in advance if something is very wrong.

I have a python app for MacOS that I am deploying with pyinstaller (thus I am NOT using Xcode). The app is to be deployed through github not through the app store. I could sign it and notarize it and it works. However, the app needs to run some external unsigned code (like a plugin). The hardened runtime blocks that, so I need to add entitlements. I've done it as it's explained in many other places with codesign. It seems to work but when I run the app, it crashes immediately with EXC_CRASH (Code signature invalid). The crash doesn't happen unless I add the entitlements.

Now my questions: how do I make my situation work? Do I need a provisioning profile? The entitlements I am trying to add (hardened runtime-related) are not restricted AFAIK, so I don't think I do?

If I need a provisioning profile, how can I add it to the app after it's bundled with pyinstaller?

Thank you so much!

Francesco

Up vote post of Fsantini Down vote post of Fsantini
1.1k views
Posted by
Fsantini
Reply
Add a Comment

Accepted Reply

and my entitlements.plist is the following:

Literally? If so, the problem is that your com.apple.security.cs.disable-library-validation key has a leading newline. Your property list should look like this:

% cat test.entitlements 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
</dict>
</plist>

This is one example of a whole class of problems that cause ongoing grief for developers. I’ve used this thread as a reminder to add it to my Resolving Code Signing Crashes on Launch post. Check out the shiny new Normalise the Entitlements Property List section.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

To investigate this you can follow the instructions in Resolving Trusted Execution Problems.

However, I suspect that other factors are in play here. The entitlement required to disable library validation, Disable Library Validation Entitlement or com.apple.security.cs.disable-library-validation, is not restricted, which means it doesn’t need to be authorised by a provisioning profile. The fact that you’re hitting a code signing crash suggests that you’re claiming some other entitlement, a restricted entitlement that does need a provisioning profile.

Can you post an example crash report? See Posting a Crash Report for advice on how to do that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you for your reply!

I am attaching the entitlements with (I tried with and without --deep):

codesign -o runtime --entitlements ../entitlements.plist -s "Francesco" -f Dafne.app

and my entitlements.plist is the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>
com.apple.security.cs.disable-library-validation</key>
    <true/>
  </dict>
</plist>

I am attaching the crash report. Any clue?

dafne_2022-06-07-074024_Francescos-MacBook-Pro.crash

Thanks a lot?

Posted by
Fsantini
Up vote reply of Fsantini Down vote reply of Fsantini
Add a Comment

and my entitlements.plist is the following:

Literally? If so, the problem is that your com.apple.security.cs.disable-library-validation key has a leading newline. Your property list should look like this:

% cat test.entitlements 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
</dict>
</plist>

This is one example of a whole class of problems that cause ongoing grief for developers. I’ve used this thread as a reminder to add it to my Resolving Code Signing Crashes on Launch post. Check out the shiny new Normalise the Entitlements Property List section.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Oh I feel so stupid! It works now!

I had copied that coded verbatim from some posts, and then I tried changing everything else but never thought to check that!

Thank you so much!

Francesco

Posted by
Fsantini
Up vote reply of Fsantini Down vote reply of Fsantini
Add a Comment