Debugging and fixing rPaths for GateKeeper?

This is probably the #1 cause of mysterious Gatekeeper rejections. At one point I’ll write it up properly but today is not that day )-: In the meantime…

Have you disabled library validation? That is, is any of your code signed with the com.apple.security.cs.disable-library-validation entitlement?

If so, do you need to disable library validation [1]? To quote the Important callout at the bottom of that page.

Because library validation is such an important security-hardening feature, Gatekeeper runs extra security checks on programs that have it disabled. If your program is blocked by Gatekeeper, check whether you’ve unnecessarily disabled library validation.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] IME the only good reason to disable library validation is that your app loads in-process plug-ins from other third parties.

I am running everything with --runtime, which, I understand, includes library validation?

… by default. Many folks opt out of it with the com.apple.security.cs.disable-library-validation entitlement, which is the most common cause of the problem you’re seeing.

To investigate this:

1. Find every main executable in your app bundle:

   % find /Applications/Searchiverse\ 3.app -type f -print0 | xargs -0 file | grep executable
   

2. For each one, dump its entitlements:

   % codesign -d --entitlements - --xml /path/to/executable | plutil -convert xml1 -o - -
   

   Note This assumes you’re on macOS 12. If you’re on an older system, use:

   % codesign -d --entitlements :- /path/to/executable
   

3. What do you see?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi @eskimo, As yet another developer facing a problem with Gatekeeper failing even when notarization succeeds - where can I file a request for Apple to improve the Gatekeeper feedback? The Gatekeeper user dialogue should arguably at least have button to get more details on the problem. Also, the fact that caching means that issues are only properly logged to system logs the first time ... I mean, come on!

where can I file a request for Apple to improve the Gatekeeper feedback?

In the usual place.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

PS: These are the log entries that seem relevant. The last one is about an unresolved rpath.

2022-05-01 08:48:26.907551+0200 0x12fa3c Default 0x0 694 2 ***: (LaunchServices) [com.apple.launchservices:default] Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Volumes/Nodelab/nodelab.app/Contents/, NSFilePath=/Volumes/Nodelab/nodelab.app/Contents/PlugIns, NSUnderlyingError=0x7fdca7184270 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}

2022-05-01 09:27:56.604669+0200 0x12fa3c Default 0x0 694 2 ***: (LaunchServices) [com.apple.launchservices:default] Non-fatal error enumerating at , continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Volumes/Nodelab/nodelab.app/Contents/MacOS/PySide6/Qt/lib/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/, NSFilePath=/Volumes/Nodelab/nodelab.app/Contents/MacOS/PySide6/Qt/lib/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app/Contents/PlugIns, NSUnderlyingError=0x7fdca6784360 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}

2022-05-01 09:27:56.604684+0200 0x12fa3c Default 0x0 694 2 ***: (LaunchServices) [com.apple.launchservices:default] - 45683955: Checking whether application is managed at file:///Volumes/Nodelab/nodelab.app/Contents/MacOS/PySide6/Qt/lib/QtWebEngineCore.framework/Helpers/QtWebEngineProcess.app//org.qt-project.Qt.QtWebEngineProcess

2022-05-01 09:29:06.716051+0200 0x140134 Error 0x0 581 0 XprotectService: [com.apple.xpr otect:xprotect] File /Applications/nodelab.app/Contents/MacOS/PySide6/Qt/lib/QtWebEngineCore.framework/Versions/A/Helpe rs/QtWebEngineProcess.app/Contents/MacOS/QtWebEngineProcess failed on rPathCmd /Users/qt/work/install/lib/QtOpenGL.fram ework/Versions/A/QtOpenGL (rpath resolved to: (path not found), bundleURL: /Applications/nodelab.app)

The last one is about an unresolved rpath.

Indeed.

Keep in mind that Gatekeeper only runs this check if you have library validation disabled. Unless your app needs to load plug-ins written by other third-party developers, the best solution here is to not disable library validation. That fixes this problem and it’s best practice for security.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"