Hi. We're writing Authorization Plugin and started with NullAuthPlugin compilation. When tried to run it on VM (Sonoma 14.6, SIP enabled), we're going into the following issue: `2025-03-08 13:38:20.699503-0800 0xdcb0 Error 0x0 0 0 kernel: (AppleMobileFileIntegrity) [com.apple.MobileFileIntegrity:library_validation_failure] Library Validation failed: Rejecting '/Library/Security/SecurityAgentPlugins/NullAuthPlugin.bundle/Contents/MacOS/NullAuthPlugin' (Team ID: ABCD12EF34, platform: no) for process 'SecurityAgentHel(2094)' (Team ID: N/A, platform: yes), reason: mapping process is a platform binary, but mapped file is not' As I understand, the platform binary is the one signed with Apple signature, which indeed is unavailable for us. How can we avoid this issue and run the plugin? Perhaps we're missing some build setting requirement?
Authorization Plugin code signing issue
Recommended
By default, macOS is set up so that processes running platform binaries [1] have library validation enabled by default. However, in some cases that’s not appropriate. In this example, an authorisation plug-in host needs to be able to load authorisation plug-ins.
We get around this by signing the host with an entitlement that explicitly opts out of this implicit library validation:
% codesign -d --entitlements - /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/XPCServices/SecurityAgentHelper-arm64.xpc
…
[Dict]
…
[Key] com.apple.private.security.clear-library-validation
[Value]
[Bool] true
…
% codesign -d --entitlements - /System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/XPCServices/authorizationhosthelper.arm64.xpc
…
[Dict]
[Key] com.apple.private.security.clear-library-validation
[Value]
[Bool] true
…
I’ve never seen this fail; my authorisation plug-ins always load just fine on stock systems. And my standard test environment is indeed a VM with SIP enabled.
Are you sure you’re not being mislead by the log message? See this post.
I generally investigate issues like that by adding a ‘first light’ log point to my code. If I see that, I know that my code was successfully loaded. I talk about this idea, in a very different context, in Debugging a Network Extension Provider.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] The exact definition of that is complex, but you can think of it as stuff that’s built in to macOS.
Thank you @Quinn, the error message really confused me, the plugin works.