Network Extension doesn't work with com.apple.security.cs.disable-library-validation entitlement

I am developing a MacOS application hosting a Network Extension (app proxy provider). I am signing with Developer ID certificate to distribute outside the AppStore and notarizing the host app with the following entitlements:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>app-proxy-provider-systemextension</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>com.my-organization.my-group</string>
	</array>
	<key>com.apple.security.network.client</key>
	<true/>
</dict>
</plist>

After notarizing the app, I am able to install and use the Network Extension.

Now I have a requirement to add the following entitlements (because I need to use some third party native libraries which are signed ad-hoc):

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>

As soon as I add those entitlements, the application starts crashing at startup:

Exception Type:  EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: CODESIGNING 1 Taskgated Invalid Signature

Triggered by Thread:  0

Thread 0 Crashed:
0   ???                           	       0x11cf78ef0 _dyld_start + 0
1   ???                           	       0x10f62c000 ???


Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x0000000000000000  rcx: 0x0000000000000000  rdx: 0x0000000000000000
  rdi: 0x0000000000000000  rsi: 0x0000000000000000  rbp: 0x0000000000000000  rsp: 0x00007ff7b08d3b98
   r8: 0x0000000000000000   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000000
  r12: 0x0000000000000000  r13: 0x0000000000000000  r14: 0x0000000000000000  r15: 0x0000000000000000
  rip: 0x000000011cf78ef0  rfl: 0x0000000000000200  cr2: 0x0000000000000000
  
Logical CPU:     0
Error Code:      0x00000000 
Trap Number:     0


Binary Images:
       0x11cf74000 -        0x11d00bfff ??? (*) <bba77709-6cad-3592-ab03-09d0f7b8610e> ???
       0x10f62c000 -        0x10f62dfff ??? (*) <4c4c44aa-5555-3144-a128-fba98974e1e0> ???

Error Formulating Crash Report:
dyld_process_snapshot_get_shared_cache failed

If I remove the com.apple.developer.networking.networkextension and com.apple.developer.system-extension.install, then the app starts but of course I cannot activate and use the Network Extension.

So my question is whether the network extension entitlements and the disable-library-validation entitlements can be used together?

Regarding:

com.apple.security.cs.disable-library-validation

Why do you specifically need to use this entitlement? Are you not able to pull in the third party libraries and include them as part of your project? Typically when disable-library-validation is involved it's hiding another macOS bundling problem in the structure of your bundle.

Does your bundle correctly adhere to the following rules for macOS:

@meaton, the reason I need the disable-library-validation entitlement is because my app is hosting a .NET Core utility (bundled in the Resources folder and called as sub-process). This utility depends on some dynamic libraries (libcoreclr.dylib, libclrgc.dylib, libclrjit.dylib, ...) shipped by Microsoft and which are ad-hoc signed. If I resign them with codesign (with timestamp and hardened runtime), my .NET Core app no longer starts as its dependencies are not having the expected signatures.

my .NET Core app no longer starts as its dependencies are not having the expected signatures.

You need to discuss this with the library’s vendor. Apple expects that you sign all the code that you include in your product. Even if you managed to get this immediate obstacle, you’ll run into distribution problems down the pike:

  • If you’re distributing via the Mac App Store, it will reject any ad hoc signed code.

  • If you’re distributing independently, you’ll have to notarise your product and the notary server will reject any ad hoc signed code.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Network Extension doesn't work with com.apple.security.cs.disable-library-validation entitlement
 
 
Q