We are developing a custom login service including custom PAM module. While it initially works correctly after installation on macOS, it becomes blocked by the system during privilege escalation (coreauthd) after unlocking the screensaver.
The custom PAM module has been signed with a Developer ID certificate and submitted for notarization using notarytool
.
And passed staple check.
spctl -at open --context context:primary-signature -v
pam_custom.so: accepted
source=Notarized Developer ID
Here are the detail steps:
- Install the custom PAM file under /usr/local/lib/pam/.
- Ensure SIP (System Integrity Protection) is enabled.
- Log in to the Mac using the custom login service developed with the custom PAM module.
- Successfully log in.
- Open System Settings > Touch ID & Password.
- Click Add Fingerprint to trigger local authentication. This local authentication can be passed using Touch ID without invoking the custom PAM.
- Cancel adding fingerprints.
- Allow the Mac to idle until the screensaver is triggered.
- Unlock the screen using the custom PAM.
- Go to System Settings > Touch ID & Password and click Add Fingerprint again.
- This time, local authentication triggers the custom PAM, but it always fails. The system log shows that the custom PAM is not found.
Related system logs at step 9:
2024-12-25 19:05:05.320264-0800 0x42f3 Error 0x0 0 0 kernel: (AppleMobileFileIntegrity) Library Validation failed: Rejecting '/usr/local/lib/pam/pam_custom.so' (Team ID: none, platform: no) for process 'authorizationhos(941)' (Team ID: N/A, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
2024-12-25 19:05:05.320629-0800 0x42f3 Error 0x0 0 0 kernel: (AppleMobileFileIntegrity) Library Validation failed: Rejecting '/usr/local/lib/pam/pam_custom.so' (Team ID: none, platform: no) for process 'authorizationhos(941)' (Team ID: N/A, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least
ad-hoc signed.
Related system logs at step 11:
2024-12-25 19:05:22.510658-0800 0x41a6 Error 0x0 0 0 kernel: (AppleMobileFileIntegrity) Library Validation failed: Rejecting '/usr/local/lib/pam/pam_custom.so' (Team ID: none, platform: no) for process 'coreauthd(653)' (Team ID: N/A, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
2024-12-25 19:05:22.510953-0800 0x41a6 Error 0x0 0 0 kernel: (AppleMobileFileIntegrity) Library Validation failed: Rejecting '/usr/local/lib/pam/pam_custom.so' (Team ID: none, platform: no) for process 'coreauthd(653)' (Team ID: N/A, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.
2024-12-25 19:05:22.511624-0800 0x41a6 Default 0x16b99 653 0 coreauthd: (libpam.2.dylib) in openpam_load_module(): no pam_custom.so found
Why does local authentication call the custom PAM after unlocking from the screensaver?
Could this issue also be related to a code signing configuration that needs adjustment?