How to sign a binary with disable-library-validation entitlement?

I'm trying to sign some PHP binaries so that they are happy to run PHP extensions compiled by other people.

I've tried creating a signing-entitlements.plist such as:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>com.apple.security.cs.disable-library-validation</key>
        <true/>
    </dict>
</plist>

but when trying to run the following:

codesign --entitlements signing-entitlements.plist --force --options runtime --sign '$release_certificate' '$file'

...I get the following error: signing-entitlements.plist: cannot read entitlement data

Do I need to convert the XML to some other format perhaps?

Is it even the right entitlement to achieve what I am trying to do?

Thanks for any help!

Up vote post of Marmaladesoul Down vote post of Marmaladesoul
457 views
Posted by
Marmaladesoul
Reply
Add a Comment

Replies

I can’t see anything obviously wrong with your entitlements. The most common cause of problems like this is some hard-to-see malformation, like CR LF line endings or a leading BOM. To fix those, run your property list through plutil:

% plutil -convert xml1 -o reformatted.entitlements original.entitlements

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Wow, thanks @eskimo — you were right... as always 😆

plutil reformatted my entitlements to the following, which then worked perfectly:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
</dict>
</plist>

The changes were:

  • <!DOCTYPE moved to its own line
  • https became http
  • <dict> entry outdented one tab
  • a final line ending was added (they were already in "Unix" format according to Sublime Text)

Somewhat annoyingly, I can use codesign -d --entitlements - --xml /path/to/binary to print the binary's entitlement as XML, but it's not in the pedantic format which codesign itself can read.

Posted by
Haggis
Up vote reply of Haggis Down vote reply of Haggis
Add a Comment