Can an application signed with "com.apple.security.cs.disable-library-validation" be published as trusted?

Question

Created 3w

Replies 3

Boosts 0

Participants 2

I am working on releasing my macOS arm64 app. My problem is that after the user downloads the dmg, double-clicking my.app in the dmg, a Gatekeeper pop-up box will appear with a warning that the developer cannot be verified.

Question: Can an application signed with "com.apple.security.cs.disable-library-validation" be published as trusted?

If yes, what steps have I missed?
If not, can I get an official response from Apple?

（Because I referred to this post, it seems to mention that it is possible to publish trusted software.I have looked up similar questions on the forum and tried many things, but nothing works. ）

Here are my steps:

Use the codesign to sign my.app. Because my app needs to access third-party dynamic libraries, entitlements.plist contains a "com.apple.security.cs.disable-library-validation". After the "codesign -dvvv" check, the signature was successful.✅
Use the "xcrun notarytool" command to notarize my app, and the status is displayed as accepted.✅
Use "xcrun stapler staple" to attach the notarization to my app, and it returns success.✅
Use the "spctl -a -v " command to verify whether my app has passed Gatekeeper, and it returns that it has passed.✅
Then I packaged my.app into a dmg, and then attached the notarization mark to the dmg, which was successful.✅
I completed the above steps and distributed the dmg. When I downloaded the dmg as a user test and double-clicked my.app in it, the Gatekeeper pop-up box still appeared, and the developer cannot be verified.❌

Screenshot 2024-12-04 at 15.33.26.png

Answered by DTS Engineer in 816808022

Can an application signed with com.apple.security.cs.disable-library-validation be published as trusted?

Yes.

There are two caveats:

If you want your plug-in developers to be able to debug their plug-ins, you have to ship a version of your app with com.apple.security.get-task-allow set. The notary server then requires that you set com.apple.security.cs.disable-library-validation. See the Avoid the get-task-allow entitlement section of Resolving common notarization issues.
As mentioned here, disabling library validation makes it harder to pass Gatekeeper. Resolving Gatekeeper Problems Caused by Dangling Load Command Paths has the details.

Based on your description of the issue, I suspect you’ve encountered that second caveat.

Use the spctl -a -v command to verify whether my app has passed Gatekeeper

I generally avoid spctl. Instead, follow the instructions in Testing a Notarised Product.

Then I packaged my.app into a dmg, and then attached the notarization mark to the dmg,

It sounds like you’re notarising twice, once for the app and again for the disk image. That’s not actively harmful, but it’s kinda redundant. In most cases you can get away with notarising just the outermost container, which in this case is the disk image. Packaging Mac software for distribution explains this in more detail.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

Hellen OP

3w

I removed "com.apple.security.cs.disable-library-validation" and followed all the steps. The test result was passed, but my application failed to call the third-party library. Is there any good solution for this?

0

Answer 2

DTS Engineer OP

Apple

2w

Recommended

Can an application signed with com.apple.security.cs.disable-library-validation be published as trusted?

Yes.

There are two caveats:

If you want your plug-in developers to be able to debug their plug-ins, you have to ship a version of your app with com.apple.security.get-task-allow set. The notary server then requires that you set com.apple.security.cs.disable-library-validation. See the Avoid the get-task-allow entitlement section of Resolving common notarization issues.
As mentioned here, disabling library validation makes it harder to pass Gatekeeper. Resolving Gatekeeper Problems Caused by Dangling Load Command Paths has the details.

Based on your description of the issue, I suspect you’ve encountered that second caveat.

Use the spctl -a -v command to verify whether my app has passed Gatekeeper

I generally avoid spctl. Instead, follow the instructions in Testing a Notarised Product.

Then I packaged my.app into a dmg, and then attached the notarization mark to the dmg,

It sounds like you’re notarising twice, once for the app and again for the disk image. That’s not actively harmful, but it’s kinda redundant. In most cases you can get away with notarising just the outermost container, which in this case is the disk image. Packaging Mac software for distribution explains this in more detail.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 3

Hellen OP

2w

Hi Engineer!

Thank you very much for your reply. I paid attention to the second caveat and tried to solve it. But I couldn't follow this post, each step was unexpected.

This post pointed out that it needs to contact a third party or bundle. I need to use the content developed by a third-party developer, but I don't want to bundle it.

As mentioned here, disabling library validation makes it harder to pass Gatekeeper. Resolving Gatekeeper Problems Caused by Dangling Load Command Paths has the details.

Now it is clear that I can't pass Gatekeeper because I signed it with "com.apple.security.cs.disable-library-validation".

Question: Can I have other communication channels besides the forum? Or online help tools? I can send my software for review. Because I didn't create Xcode, I was blocked by the code-level ticket.

0