Disable library validation entitlements makes app fail GateKeeper

Hello!
I need to load dylib signed by another developer (using dlopen). For that, I added following entitlement to hardened runtime:
Code Block
com.apple.security.cs.disable-library-validation


However, after adding this entitlement, the app fails to start, generating a crash report indicating codesigning fail.
This happens even without any code for loading the library in the app.

I tried it in a blank project, and it worked just fine.

The app also has Endpoint security entitlement (in provisioning profile), so I am suspecting that might be the cause, however, I was not able to find anything about this in the documentation.



Thank you for any help.

When the app fails to start do you get a Gatekeeper alert? If so, what’s the exact wording on that alert?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
I do not. It is an LaunchDaemon bundled as an app bundle. I am not even sure if it is GateKeeper that kills it, all I was able to find was crash report with code signing specified as an reason of the crash.

I am not even sure if it is Gatekeeper that kills it, all I was able
to find was crash report with code signing specified as an reason of
the crash.

So, Gatekeeper is a user-level term for a variety of underlying technologies. A launchd daemon will never generate a Gatekeeper alert because it’s not running in a user context. It is, however, subject to Gatekeeper (at least on modern systems).

The most common cause of this problem is a rogue library load command in your executable or one of the libraries it uses. When library validation is enabled Gatekeeper doesn’t check these because it knows that library validation will protect you from loading bogus code.

However, in this case I think the issue is more straightforward: The trusted execution system, as a matter a policy, requires that EndpointSecurity clients have the hardened runtime enabled and that they not apply any hardened runtime exceptions [1]. Thus your ES daemon won’t be able to disable library validation.

What sort of third-party code are you trying to load? Does your daemon support some sort of plug-in mechanism? Or are you shipping a library with your product that just happens to be signed by someone else.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

[1] IIRC the very latest OS releases have an exception to this policy, namely that they are allowed to use com.apple.security.cs.allow-jit, but that’s not relevant to your situation.
Thank you for an answer. That's what I was suspecting. It would be nice it if it would be mentioned somewhere in the documentation (maybe it is, I was unable to find it). I am trying to load libhostfxr.dylib, which is shipped with .NET installation on the system and would allow me to host .NET runtime in my process.

It would be nice it if it would be mentioned somewhere in the
documentation (maybe it is, I was unable to find it).

I don’t think so; in situations like this I’d appreciate you filing a bug against the docs to help those that come after. Please post your bug number, just for the record.

I am trying to load libhostfxr.dylib, which is shipped with .NET
installation on the system and would allow me to host .NET runtime in
my process.

You have a couple of choices here:
  • You can bundle the .NET runtime with your product (assuming appropriate licences, which is not something I’m qualified to comment on) at which point it’d be signed by you and thus not hit this limitation.

  • You can host this .NET code in a separate process and have your ES code communicate with it via IPC.

I’m kinda inclined towards the latter because it yields a degree of privilege separation. ES clients occupy a very privileged position in the system and loading third- (and then fourth-) party code into your ES client is a bit of a worry.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

I have the same problem with Xcode 13.0 on macOS Big Sur v11.6. App crash on startup (after launch screen) building debug version on a real device (but not simulator). None of solutions I found in the Internet work for me, including disabling lib validation in entitlements file. This happens when I include any pod in my project. The same project runs as expected in Xcode 12.4 on macOS Catalina v10.15.7. Please help, this issue occurred when I installed Big Sur.

dyld: Library not loaded: @rpath/FBLPromises.framework/FBLPromises  Referenced from: /private/var/containers/Bundle/Application/F075E6CB-7E44-471E-9515-C99C6749ECEA/MyApp.app/MyApp  Reason: no suitable image found. Did find: /private/var/containers/Bundle/Application/F075E6CB-7E44-471E-9515-C99C6749ECEA/MyApp.app/Frameworks/FBLPromises.framework/FBLPromises: code signature in (/private/var/containers/Bundle/Application/F075E6CB-7E44-471E-9515-C99C6749ECEA/MyApp.app/Frameworks/FBLPromises.framework/FBLPromises) not valid for use in process using Library Validation: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)

This happens when I include any pod in my project.

Presumably you’re referring to CocoaPods here. If so, I recommend that you escalate this via their support channel. I don’t maintain expertise in third-party tools.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Disable library validation entitlements makes app fail GateKeeper
 
 
Q