Library validation and CoreMedia I/O plug-ins

Hi!


The problem I want to discuss is not new, but it is becoming more and more critical for the project I'm working on. So I have to rise it again.


Our project is a virtual webcam for macOS implemented as a CoreMedia I/O DAL plug-in. Plug-in is installed at /Library/CoreMediaIO/Plug-Ins/DAL and can be loaded into any client application that wants to use the webcam.


The problem appeared when Apple introduced 'Hardened Runtime' in macOS Mojave which by default turns on 'Library Validation' feature. Library validation disables loading for frameworks/plugins/libraries which are either: 1) not signed; 2) signed but 'Team Identifier' in signing certificate is different than certificate of a client application signature. As a result, even though our plugin is properly signed and notarized, it can't be loaded into client application with hardened runtime because of that 2nd case.


First alarming incident was last year when Google Chrome on macOS enabled hardened runtime, and stopped showing our webcam in the list. I requested a technical support (case ID for TSI: 718328224), then made a feedback to Apple (FB7071665) about any possible solutions for our case, at least in the future versions of macOS. But I see there's still no reaction there.


Now things are getting worse. Skype and Zoom stopped support our webcam for the same reason. Some others announced they will do this too. There's a possibility to add 'com.apple.security.cs.disable-library-validation' entitlement to the client application - that would help with our issue. But Zoom and Skype refuse to add this because of security reasons - after some security exploits were uncovered.

The situation is quite critical for our product as many users use our webcam only for Zoom, Skype and similar applications.


So, the question is: are there any possible workarounds for our case? I know that for audio plugins (VST, etc.) there's a special entitlement: 'com.apple.security.temporary-exception.audio-unit-host' that allows loading even unsigned plugins into hosting application. Why there's no such entitlement for DAL plugins? Or will it appear in macOS 10.16? I think it would be reasonable to add an entitlement that would only reject loading of unsigned plugins, but would allow loading of plugins with different 'Team ID' in signing certificate.

There isn’t any good solution to this problem right now. As I’m sure you’ve noticed, your bug (FB7071665) has been marked as a duplicate of another bug (r. 54710955), and we’re using that to track this issue. I just took a look at that bug and, alas, there’s simply no information I can share on that front.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for reply!


I have to say that I don't see that FB7071665 has been marked as a duplicate, in Feedback Assistant I see:

Recent Similar Reports: None

Resolution: Open

and no mention of r. 54710955.


I also have to ask somewhat off topic question: is there (or will there be) any other way to expose virtual webcam in macOS, besides CoreMedia I/O plug-ins? At least, in the recent or upcoming macOS versions?

I have to say that I don't see that FB7071665 has been marked as a duplicate

Weird. It’s clearly marked as a dup in our internal systems.

is there … any other way to expose virtual webcam in macOS, besides CoreMedia I/O plug-ins?

Sorry, I just don’t know. My expertise lies in low-level stuff, like library validation, and I’m not really up-to-speed on media APIs. If you can’t find an answer elsewhere, my advice is that you open a DTS tech support incident and talk to one of our media specialists.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

> my advice is that you open a DTS tech support incident


Did it last year, Case ID: 718328224.

Reply: We have reviewed your request and have concluded that there is no supported way to achieve the desired functionality given the currently shipping system configurations. If you would like for Apple to consider adding support for such features in the future, please submit an enhancement request via Feedback Assistant


Submitted feedback in 2019 (FB7071665), no reply yet.


Please find someone who can provide a solution e.g. add new entitlement for our case (in fact all virtual cameras and professional capture devices). This feature is critical for our business and your customers suffer as well.

Have you heard of any updates? I've also filed a DTS case on this, but no case file, yet.

I am also looking at how it might be possible run a deamon that checks and disables code signing on the known apps, eg. Zoom, Skype, etc, and disables it, possibly with a user prompt, but I would put that squarely in the sketchy, last resort category, as it is very intrusive and definitely not improving security.
Hello,

I would also like to know if there is any new information here, this has been quite a big issue on the video engineering/video calling side of things for quite a while now, I've also submitted multiple tickets, feedback assistant requests and have not heard back yet.

I did email the person replying here and I was told that this issue was merged with another ticket (Which we cannot see/read) which makes it impossible to see feedback and follow up on this issue.
@couture.visicom I have filed a bug report as FB8183080 and a DTS case (741882936) that came back as "no workaround at this time."

So I guess we're still in limbo! In the meantime, though, at least Zoom and Skype have disabled library validation, so that DAL plugins work with at least those apps.

Web browsers are still an issue, though.
if not DAL plug-in, is device driver the right and future proof approach to implement a virtual camera?
So at least Zoom and Skype have disabled library validation to allow DAL plugins, for now, but we're still not able to provide those for Safari or FaceTime (at least on 10.14, which is what I checked), or Chrome, which is a pretty major holdout with this.

@ieo my research indicates that a kext could be made that emulates a UVC (USB Video Class) device, which should be picked up by CoreMedia without a 3rd party DAL plugin. However, this seems like a daunting task, and is not a great proposition from either a stability or security perspective, either.
Hey @eskimo,

Just wanted to know if there was any new information on this front you could provide, with working from home being more and more common, this issue is ever growing. Especially as of recently, Sony and some other camera manufacturers are creating virtual webcams that use CoremediaIO DAL plugins so they do not work with 90% of applications.

Just wanted to know if there was any new information on this front you
could provide

AFAIK there have been no developments since I last posted about this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Hello, everyone!

@eskimo, any updates on this? Any plans to provide a higher level API for this?

Best,

Rafael Costa

any updates on this?

No.

Any plans to provide a higher level API for this?

I can’t discuss The Future™.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Hello,

@eskimo, any updates on this? Is there any possibility to have Virtual Camera enabled app in macOS app store ?

Best

Amirhossein Gholami

any updates on this?

I have nothing more to share right now.

Actually, that’s not quite true. I can say that:

  • The relevant folks at Apple understand the impact of this issue.

  • Given that, there’s not much point in filing any more bugs about it.

  • The only way to fix this is to add new API.

  • There’s no such API in macOS 12 beta.

I realise that this is not the answer you were hoping for, but everything beyond the current beta is The Future™, and so not something I can discuss.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Library validation and CoreMedia I/O plug-ins
 
 
Q