I'm developing a sandboxed application with Xcode which allows the user to open and work with Audio Unit plugins. Working with a beta-tester having a lot of AUs on its laptop running on macOS 12.5.1, we encountered some weird crashes while opening some plugins (Krotos, Flux Audio, Sound Toys, etc.). The message we got was in French, I try to translate it but the original English version could be a little bit different:
Impossible to open “NSCreateObjectFileImageFromMemory-p47UEwps” because the developper can not be verified.
After this first warning, a Fatal Error 100001 message opens and the plugin seems crashed (but not the host).
I easily found some music application users encountering similar issues on the web. From what I read, this error is related to new security rules introduced in macOS 12. And, effectively, some of these plugins tested on an older system work normally. I also read that some (insecure) entitlements of the Hardened Runtime should be able to fix this issue, especially Allow Unsigned Executable Memory Entitlement, whose the doc says:
In rare cases, an app might need to override or patch C code, use the long-deprecated NSCreateObjectFileImageFromMemory (which is fundamentally insecure), or use the DVDPlayback framework. Add the Allow Unsigned Executable Memory Entitlement to enable these use cases. Otherwise, the app might crash or behave in unexpected ways.
Unfortunately, checking this option didn't fix the issue. So, what I tried next was to add Disable Executable Memory Protection (no more success), and finally Allow DYLD Environment Variables and Allow Execution of JIT-compiled Code: none of them solved my problem.
I really don't see what else to do, while I'm sure that a solution exists because the same plugins work perfectly on other application (Logic, Live Ableton). Any help would be greatly appreciated. Thanks !
Looks like you’re making great progress here.
but I have no prove that this version is sandboxed
There are two ways to do that:
-
Run the app, run Activity Monitor, find the app in the process list, and check the Sandbox column. You might need to control click on the list headers to enable that column.
-
Check for the entitlement with
codesign
. I don’t have Logic installed, but here’s an example with GarageBand:
% codesign -d --entitlements - /Applications/GarageBand.app
…
[Dict]
…
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
…
Having said that, working with GarageBand seems like the acid test to me. If an audio unit fails there, it’s worth reporting that as a bug against the audio unit.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"