Notarized app not able to load dynamic library signed by another team

Two things:

• Check that your disabling of library validation is actually working. Run your app and then run

  codesign

  against the process. For example:

  % codesign -d -vvv --entitlements :- `pgrep TextEdit`

  .

• Check that the library was built with the macOS 10.9 SDK or later. Without that, you won’t be able to load it into a hardened runtime process. A good start here is

  otool

  :

  % otool -l /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration| grep -B 1 -A 4 VERSION

  You want to look for either a

  LC_VERSION_MIN_MACOSX

  or

  LC_BUILD_VERSION

  load command and then check the

  sdk

  field in that.

  After that, make sure that the code signature contains

  sha256

  hashes. For example:

  % codesign -d -vvv /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

  It’s OK if it has

  sha1

  hashes as well but you have to have

  sha256

  to be compatible with the hardened runtime.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Quinn, thanks for the reply.

1. I executed the codesign against the process and i don't see an explicit output for the entitlement com.apple.security.cs.disable-library-validation. However i can see that int company.app/Contents/Info.plist theentries count has increased and if i open the plsit file, i can see com.apple.security.cs.disable-library-validation as true.

2. LC_VERSION_MIN_MACOSX of the vendor dylibs are 10.9 along with SDK version of 10.13. LC_VERSION_MIN_MACOSX of our app executable is 10.10 with SDK of 10.14 - so, all good here.

3. Both the vendor dylib and our app have sha1 as well as sha256 - Hash choices=sha1,sha256

I'm copy pasting the output of codesign run against the process :

Executable=XYZ.app/Contents/MacOS/XYZ

Identifier=XYZ

Format=app bundle with Mach-O thin (x86_64)

CodeDirectory v=20500 size=16841 flags=0x10000(runtime) hashes=519+3 location=embedded

VersionPlatform=1

VersionMin=657920

VersionSDK=658944

Hash type=sha256 size=32

CandidateCDHash sha1=f5f01417e803369a70d5b071fced1617486fb712

CandidateCDHash sha256=f6cfb15a010687b5afed942507541c3aa0dc047c

Hash choices=sha1,sha256

Page size=4096

CDHash=f6cfb15a010687b5afed942507541c3aa0dc047c

Signature size=9075

Authority=Developer ID Application: XYZ

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Timestamp=31-May-2020 at 1:35:59 AM

Info.plist entries=26

TeamIdentifier=XYZ

Runtime Version=10.14.0

Sealed Resources version=2 rules=13 files=22

Internal requirements count=1 size=192

Our build process is summarised as :

1. The plist file is named as company-Info.plist and the same name is given in "Build Settings". All options of "Capabilities" in Xcode's project are OFF, including Hardened Runtime

2. I added <key>com.apple.security.cs.disable-library-validation</key>

<true/> to the company-Info.plist file.

3. Build using xcodebuild commandline.

4. Sign the .app file using "sudo codesign -f --options runtime -s "CERTIFICATE" ./company.app --deep.

5. productsign, notarise etc

I just realised - the option has to be given in entitlement file and won't take effect if we add it to plist file!

So, I have to create an entitlement file and give that as an option in codesign command and that shoudl work.

Will try this out and let you know.

Hi