Debugging and fixing rPaths for GateKeeper?

I am yet another another developer facing the issue of having a notarized application cryptically blocked by GateKeeper with the unhelpful "unidentified developer" message.

I followed Eskimo's instructions of combing the system logs, and caught an event by XprotectService:

File /Applications/Cook-a-Dream.app/Contents/Resources/app_packages/PySide6/lupdate failed on rPathCmd /Users/qt/work/install/lib/QtCore.framework/Versions/A/QtCore

Googling around, I found some people reporting similar problems (with other libraries) being fixed by detecting and fixing this kind of problem by deleting/changing some of the rpaths with install_name_tool.

The questions:

  1. How do I confirm if the issue is indeed one of rpath?
  2. What are the general "rules" that govern what is allowed or not allowed in terms of rpaths for GateKeeper?
  3. Can I add a prophylactic step to my workflow to detect those issues before notarization?

This is probably the #1 cause of mysterious Gatekeeper rejections. At one point I’ll write it up properly but today is not that day )-: In the meantime…

Have you disabled library validation? That is, is any of your code signed with the com.apple.security.cs.disable-library-validation entitlement?

If so, do you need to disable library validation [1]? To quote the Important callout at the bottom of that page.

Because library validation is such an important security-hardening feature, Gatekeeper runs extra security checks on programs that have it disabled. If your program is blocked by Gatekeeper, check whether you’ve unnecessarily disabled library validation.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] IME the only good reason to disable library validation is that your app loads in-process plug-ins from other third parties.

I am running everything with --runtime, which, I understand, includes library validation?

… by default. Many folks opt out of it with the com.apple.security.cs.disable-library-validation entitlement, which is the most common cause of the problem you’re seeing.

To investigate this:

  1. Find every main executable in your app bundle:

    % find /Applications/Searchiverse\ 3.app -type f -print0 | xargs -0 file | grep executable
    
  2. For each one, dump its entitlements:

    % codesign -d --entitlements - --xml /path/to/executable | plutil -convert xml1 -o - -
    

    Note This assumes you’re on macOS 12. If you’re on an older system, use:

    % codesign -d --entitlements :- /path/to/executable
    
  3. What do you see?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi @eskimo, As yet another developer facing a problem with Gatekeeper failing even when notarization succeeds - where can I file a request for Apple to improve the Gatekeeper feedback? The Gatekeeper user dialogue should arguably at least have button to get more details on the problem. Also, the fact that caching means that issues are only properly logged to system logs the first time ... I mean, come on!

where can I file a request for Apple to improve the Gatekeeper feedback?

In the usual place.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

PS: These are the log entries that seem relevant. The last one is about an unresolved rpath.

2022-05-01 08:48:26.907551+0200 0x12fa3c Default 0x0 694 2 ***: (LaunchServices) [com.apple.launchservices:default] Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Volumes/Nodelab/nodelab.app/Contents/, NSFilePath=/Volumes/Nodelab/nodelab.app/Contents/PlugIns, NSUnderlyingError=0x7fdca7184270 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}

2022-05-01 09:27:56.604669+0200 0x12fa3c Default 0x0 694 2 ***: (LaunchServices) [com.apple.launchservices:default] Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Volumes/Nodelab/nodelab.app/Contents/MacOS/PySide6/Qt/lib/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/, NSFilePath=/Volumes/Nodelab/nodelab.app/Contents/MacOS/PySide6/Qt/lib/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/PlugIns, NSUnderlyingError=0x7fdca6784360 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}

2022-05-01 09:27:56.604684+0200 0x12fa3c Default 0x0 694 2 ***: (LaunchServices) [com.apple.launchservices:default] - 45683955: Checking whether application is managed at file:///Volumes/Nodelab/nodelab.app/Contents/MacOS/PySide6/Qt/lib/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app//org.qt-project.Qt.QtWebEngineProcess

2022-05-01 09:29:06.716051+0200 0x140134 Error 0x0 581 0 XprotectService: [com.apple.xpr otect:xprotect] File /Applications/nodelab.app/Contents/MacOS/PySide6/Qt/lib/QtWebEngineCore.framework/Versions/A/Helpe rs/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess failed on rPathCmd /Users/qt/work/install/lib/QtOpenGL.fram ework/Versions/A/QtOpenGL (rpath resolved to: (path not found), bundleURL: /Applications/nodelab.app)

The last one is about an unresolved rpath.

Indeed.

Keep in mind that Gatekeeper only runs this check if you have library validation disabled. Unless your app needs to load plug-ins written by other third-party developers, the best solution here is to not disable library validation. That fixes this problem and it’s best practice for security.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Debugging and fixing rPaths for GateKeeper?
 
 
Q