Library validation fails because of different Team IDs

Code Signing General
cmoltkeleth OP
Created Dec ’19
Replies 8
Boosts 1
Views 7.6k
Participants 4

Hello


We have a number of X11 applications, which are linked against shared libraries from XQuartz. To be able to notarize our applications, we have signed out applications with "hardened runtime", i.e. enforcing "library validation" of all used libraries.


The libraries from XQuartz are a bit old, but they are codesigned with a Developer ID, e.g.


Executable=/opt/X11/lib/libXt.6.dylib

Identifier=libXt.6

Format=Mach-O universal (i386 x86_64)

CodeDirectory v=20200 size=3079 flags=0x0(none) hashes=92+2 location=embedded

Signature size=8927

Authority=Developer ID Application: Apple Inc. - XQuartz (NA574AWV7E)

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Timestamp=29 Oct 2016 at 09.59.52

Info.plist=not bound

TeamIdentifier=NA574AWV7E

Sealed Resources=none

Internal requirements count=1 size=168


Our Developer ID is of course different from the Developer ID of XQuartz, and unfortunately this means that we are not able to load the libraries at run-time, getting errors like:


dyld: Library not loaded: /opt/X11/lib/libXt.6.dylib

Referenced from: /Applications/NG-tsrv37io/CciFiles/extlib64/libgsdisp.9.26.dylib

Reason: no suitable image found. Did find:

/opt/X11/lib/libXt.6.dylib: code signature in (/opt/X11/lib/libXt.6.dylib) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs


Is there any solution to this problem?

Thanks in advance!


Regards

Claus

Replies  8
Boosts  1
Views  7.6k
Participants  4
OneTwoThree OP
Dec ’19

Hi,

We also experience the same problem.


Exception Type: EXC_CRASH (SIGABRT)

Exception Codes: 0x0000000000000000, 0x0000000000000000

Exception Note: EXC_CORPSE_NOTIFY

Termination Reason: DYLD, [0x5] Code Signature

Application Specific Information:

dyld: launch, loading dependent libraries


(/Library/Frameworks/Measure.Client64.framework/Versions/2.0.0.1/Measure.Client64) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs


Any such requrement that mandates that same Team ID is required?


regards

Prema_k

0
DTS Engineer OP
Apple
Dec ’19

Is there any solution to this problem?

There are two:

  • Opt out of library validation using the Disable Library Validation entitlement 

    com.apple.security.cs.disable-library-validation
    (A)

  • Bundle these libraries with your product, and then sign them as yourself (B)

I generally prefer B because A decreases the security of your product. Specifically, there’s no way to partially opt out of library validation, that is, allow libraries from some specific set of teams [1].

The main drawback with B is that you need to get permission from the vendor to distribute the libraries.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Although you’re not the first person to ask about this, and IMO it would make a fine enhancement request.

2
cmoltkeleth OP
Dec ’19

Thank you for your answer!


I would like to have a small clarification: If I choose Option A (disabling library validation), wouldn't that mean that I could no longer have my apps notarized? Or is it allowed to opt out of library validation and still have my applications notarized?


Thanks once again!


Claus

0
DTS Engineer OP
Apple
Dec ’19

If I choose Option A (disabling library validation), wouldn't that mean that I could no longer have my apps notarized?

The notarisation system does not currently require library validation. It does require the hardened runtime, which enables library validation by default, but you can then opt out of library validation using the Disable Library Validation entitlement (

com.apple.security.cs.disable-library-validation
).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

ps DTS is closed 21 Dec through 1 Jan.

1
cmoltkeleth OP
Dec ’19

Thank you very much!


Claus

0
cmoltkeleth OP
Jan ’20

Hello


I would like to have a further clarification. If we choose to stay with having library validation enabled, that would imply having to re-sign all third-party libraries. They fall into at least three categories:


(1) Proprietary libraries

(2) Open source libraries with LGPL or similar license conditions

(3) Open source libraries with GPL license


With regards to (1) and (2) we do distribute the libraries ourselves. The question here is if re-signing is considered a modification to the original software, and if doing so implies any copyright violation and/or liability.


With regards to (3) the situation is worse. These libraries cannot be distributed by ourselves due to the conditions of the GPL license, and re-signing is not an option at all. So the question is what to do in this situation, besides turning off library validation.


Please let me know if you have any experience to share. Thanks in advance!


/Claus

0
DTS Engineer OP
Apple
Jan ’20

I’m sorry but, as these are legal questions, I’m neither allowed nor qualified to comment on them.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
eclipse-chaser OP
Jan ’24

I landed on this question due to a similar problem of a Framework that Xcode was not resigning correctly (but AppStore Connect does). In my case the author provides a distribution license (your case 1). With regard to your question on GPL I am also not a lawyer, but this has come up off and on over the past 35 years. These are quotes from gnu.org. This is why the industry refers to the "GPL Virus"

You have a GPLed program that I'd like to link with my code to build a proprietary program. Does the fact that I link with your program mean I have to GPL my program? (https://www.gnu.org/licenses/gpl-faq.en.html#LinkingWithGPL)

Not exactly. It means you must release your program under a license compatible with the GPL (more precisely, compatible with one or more GPL versions accepted by all the rest of the code in the combination that you link). The combination itself is then available under those GPL versions.

If so, is there any chance I could get a license of your program under the Lesser GPL? (#SwitchToLGPL)

You can ask, but most authors will stand firm and say no. The idea of the GPL is that if you want to include our code in your program, your program must also be free software. It is supposed to put pressure on you to release your program in a way that makes it part of our community.

You always have the legal alternative of not using our code.

0
Library validation fails because of different Team IDs
First post date Last post date
 
 
Q