library load disallowed by system policy

I have an app that uses some third party libraries.

On Big Sur and higher, I get:

Library Validation failed: Rejecting '/private/var/folders/z6/brj_stf93c324m65z2qcjt_c0000gp/T/ffifq082P' (Team ID: none, platform: no) for process 'The Core TG Cont(22729)' (Team ID: <MY_TEAM_ID>, platform: no), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.

But if I add the following to entitlements, it works:

<key>com.apple.security.cs.disable-library-validation</key>
<true/>

On 10.15 and below, it fails regardless of that entry for entitlements with:

default	12:18:49.451209-0500	kernel	Library load (/private/tmp/ffiSMMmHE) rejected: library load disallowed by system policy

The app bundle is signed and notarized, and I signed all of the library files within the app:

find "myApp.app" -iname '*.so' -or -iname '*.dylib'| while read libfile; do codesign --remove-signature "${libfile}"; done;
find "myApp.app" -iname '*.so' -or -iname '*.dylib'| while read libfile; do codesign -s "$IDENTITY" --timestamp --options=runtime --entitlements "${ENTITLEMENTS}" "${libfile}"; done;

codesign -vvv --deep --strict "myApp.app" returns:

myApp.app: valid on disk

myApp.app: satisfies its Designated Requirement

So despite the fact that I've signed all of the libraries in the app bundle, something is still registering as unsigned somehow.

And since the library name is converted into an unintelligible string, I don't know how to proceed with troubleshooting which library is causing problems.

Furthermore, is there a reason that disabling library validation works on Big Sur+, but not on 10.14 and 10.15?

Edit (where did the edit button go for my post? lol): I've now observed the same problem on machines running 12.5.1 - so I think the macOS version could be a red herring. There's some other variable I'm missing, but it works on some machines running Big Sur, but many others fail with the errors outlined above.

I have an app that uses some third party libraries.

Are these supplied by the user at runtime? Or do these ship as part of your product?


where did the edit button go for my post?

DevForums only lets you edit posts for a short time after you post. I coulda sworn we documented that in the main DevForums support page, but I can’t find it now. I do mentioned it in tip #5 in my Quinn’s Top Ten DevForums Tips post.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for the reply, @eskimo!

Everything is included within the app bundle, there are no additional dependencies required of the user.

To summarize:

  • The app doesn't work on any devices without disabling library validation via entitlements
  • Disabling library validation only fixes it on certain machines (I have two machines on 12.5.1, and it works on one but not the other)

Side note - your top ten list is 14 items long? It's like you turned it up to 11 and just... kept going :)

Everything is included within the app bundle, there are no additional dependencies required of the user.

OK, then you should run with library validation enabled because a) it’s better for security, and b) disabling library validation makes it harder to pass Gatekeeper.

For this to work you have to sign all code that you ship with your signing identity. That’s what you should be doing anyway.

The weird thing is the temporary directory paths showing up in the error messages. This suggests that something with your process is copying libraries around. I’ve seen this sort of thing in other apps. For example, the app might have a library within a compressed archive and then unarchives it to the temporary directory and tries to run it from there. That never ends well.

When this fails, what is the actual failure mode? Does your app crash on launch? Or does it get to main and then fail later on?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

OK, then you should run with library validation enabled because a) it’s better for security, and b) disabling library validation makes it harder to pass Gatekeeper. For this to work you have to sign all code that you ship with your signing identity. That’s what you should be doing anyway.

Agreed, I only disabled library validation to confirm the problem. As far as I can tell (as verified by Apple's recommended codesign -vvv --deep --strict) everything is properly signed, notarized, and stapled.

The weird thing is the temporary directory paths showing up in the error messages. This suggests that something with your process is copying libraries around. I’ve seen this sort of thing in other apps. For example, the app might have a library within a compressed archive and then unarchives it to the temporary directory and tries to run it from there. That never ends well.

That was my thought as well, there is a zip folder inside the app bundle (/Contents/Resources/lib/python39.zip) but I couldn't find any library files (searching for .so and .dylib extensions). It's mostly pyc files.

When this fails, what is the actual failure mode? Does your app crash on launch? Or does it get to main and then fail later on?

Funny thing is, the app doesn't actually crash/exit. I can check that the process is running via ps | grep myApp - it just never displays anything or prints anything to stdout.

Update: I stumbled across this thread (https://gitlab.com/inkscape/inkscape/-/issues/2299) which discusses the entitlements that python uses when installed directly (via Python.org or Homebrew, etc.)

It seems that Python.org uses the following entitlements:

sh-3.2# codesign -d --entitlements - /usr/local/bin/python
Executable=/Library/Frameworks/Python.framework/Versions/3.10/bin/python3.10
[Dict]
	[Key] com.apple.security.automation.apple-events
	[Value]
		[Bool] true
	[Key] com.apple.security.cs.allow-dyld-environment-variables
	[Value]
		[Bool] true
	[Key] com.apple.security.cs.disable-executable-page-protection
	[Value]
		[Bool] true
	[Key] com.apple.security.cs.disable-library-validation
	[Value]
		[Bool] true

If I mimic this for my application, it works on machines where it was previously failing.

If I can find a way to make this work without disabling validation, great - but I've signed everything I can find, and apparently Python.org doesn't even have a better solution...

So, something in your process is trying to load this temporary directory file as code. And the contents of that file must come from somewhere (either unpacked from somewhere inside your app or generated on the fly). IMO it’d be worth tracking that down rather than just disabling a bunch of security features using hardened runtime exception entitlements.

I’m happy to help you track down where this is coming from, but that’d need more time than I can allocate to DevForums. If you want to pursue that path, open a DTS tech support incident and we can pick things up there.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for the input, Eskimo! I may take you up on that.

library load disallowed by system policy
 
 
Q