disable-library-validation entitlement makes app unlaunchable

Code Signing Entitlements
jralls
jralls OP
Created 2d
Replies 1
Boosts 0
Views 416
Participants 2

An open-source app that I bundle for macOS needs to use the disable-library-validation entitlement. In spite of TN3125: Inside Code Signing: Provisioning Profiles | Apple Developer Documentation#Entitlements-on-macOS claiming that hardened runtime entitlements don't need provisioning profiles and the app successfully notarizing, trying to run the app fails with the error "Disallowing because no eligible provisioning profiles found".

So I created a provisioning profile, but when creating the App ID the only selection that seemed relevant was Hardened Runtime. That turns out not to include disable-library-validation so now launching fails with "Unsatisfied entitlements: >com.apple.security.cs.disable-library-validation"

What's the right capability?

Answered by DTS Engineer in 857045022

TN3125 is correct in saying that the hardened runtime entitlements are unrestricted, that is, their used doesn’t have to be authorisation by a profile.

I’m not sure what’s going with your app but this is working for me:

  1. Using Xcode 16.4 on macOS 15.6.1, create a new project from the macOS > Command Line Tool target.
  2. In Signing & Capabilities > Hardened Runtime, check the Disable Library Validation box.
  3. Build and run; the program runs just fine.
  4. Dump the entitlements of the built executable:
% codesign -d -vvv --entitlements - Test799497
…
CodeDirectory v=20500 size=630 flags=0x10000(runtime) …
…
[Dict]
	[Key] com.apple.security.cs.disable-library-validation
	[Value]
		[Bool] true
    …

The runtime flag indicates that the hardened runtime is enabled, and the com.apple.security.cs.disable-library-validation entitlement disables library validation. Moreover, this is a command-line tool, and thus it has no provisioning profile.

Please repeat the above, just to make sure that we’re on the same page.

As to your main app, I suspect that you’re building outside of Xcode. In that case, double check that you’ve spelt the entitlement correctly. That’s a common issue with stuff like this, for example, the link break issue I call out in Resolving Code Signing Crashes on Launch.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  1
Boosts  0
Views  416
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
1d
Recommended

TN3125 is correct in saying that the hardened runtime entitlements are unrestricted, that is, their used doesn’t have to be authorisation by a profile.

I’m not sure what’s going with your app but this is working for me:

  1. Using Xcode 16.4 on macOS 15.6.1, create a new project from the macOS > Command Line Tool target.
  2. In Signing & Capabilities > Hardened Runtime, check the Disable Library Validation box.
  3. Build and run; the program runs just fine.
  4. Dump the entitlements of the built executable:
% codesign -d -vvv --entitlements - Test799497
…
CodeDirectory v=20500 size=630 flags=0x10000(runtime) …
…
[Dict]
	[Key] com.apple.security.cs.disable-library-validation
	[Value]
		[Bool] true
    …

The runtime flag indicates that the hardened runtime is enabled, and the com.apple.security.cs.disable-library-validation entitlement disables library validation. Moreover, this is a command-line tool, and thus it has no provisioning profile.

Please repeat the above, just to make sure that we’re on the same page.

As to your main app, I suspect that you’re building outside of Xcode. In that case, double check that you’ve spelt the entitlement correctly. That’s a common issue with stuff like this, for example, the link break issue I call out in Resolving Code Signing Crashes on Launch.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
disable-library-validation entitlement makes app unlaunchable
First post date Last post date
 
 
Q