Mojave couldn't load signed Finder plugin

Hi:


We have a Finder plugin and it is signed with Developer ID cert. Mojave couldn't load it due to the following error:


Error loading myplugin: dlopen(myplugin, 0x0106): code signature in (myplugin) not valid for use in process: mapping process is a platform binary, but mapped file is not.


Any idea?


Thanks


Peter

Replies

What sort of Finder plug-in are we talking about here? A Finder Sync extension? Or something else?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

HI:


It is Finder "Connect to Server..." plugin. It is helper function to support our network file system driver.


Both file system driver and Finder plugin are signed with the same "Developer ID" cert, There is no problem for Mojave to load the file system driver, but loading Finder plugin has problem.


Thanks

Ah, that’s an interesting edge case. I’m aware of this issue but I’m not sure where things eventually landed. If you open a DTS tech support incident (TSI) I should be able to get you a definitive answer.

Once you open the TSI please email me (my address is in my signature) the follow-up number so that I can make sure it comes to me.

Finally, just by way of backstory, in 10.14 we’ve turned on library validation for most system processes as a general security hardening measure. This means that a system process, like the Finder, is not able to load third-party code into its process even if that code is validly signed. There are various exceptions to this rule to keep certain products — both classes of products and, in some cases, individual products — running, and what I’m not sure about, and what I’ll research when I get your TSI, is how things panned out for NetFS plug-ins.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,

Any update on this problem?

I’m not going to be able to provide updates via DevForums. If you’ve already opened a DTS TSI about this, you should follow up via that TSI. If not, you should open a TSI per my 13 Nov post.

Oh, and I have one correction to that post. I wrote:

If you open a DTS tech support incident (TSI) I should be able to get you a definitive answer.

It turns out that one of my colleagues has picked up this issue, so read “we” for “I” in the above.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I opened a DTS TSI about a similar issue (platform binary won't load plugin). They directed me to open a bug report. I added the following after my explanation of the issue:

"I'm not sure what a good solution to this would be. I totally understand why platform binaries can't load non-platform plugins (I was a little surprised it was possible in 10.13). However, this renders impossible both my project and many other categories of projects. I wonder if it would be possible to issue certificates that allow loading DAL plugins specifically?"


I just got a response on that bug report as follows:
"Due to system hardening, third party plugins will fail to load in platform binaries such as FaceTime.

It should still work in QuickTime Player in 10.14, but moving forward you should not expect it to work anymore, so you should have your own application to stream from your particular plugin.

This is really a non-answer. FaceTime in particular is critical to my project. Do you have any more insight into whether this will be possible via official means going forward? Otherwise my only options are 1) direct users not to upgrade to 10.14 or 2) develop a system patch that bypasses this security mechanism. Both of those options ****.


Thanks,

Ross

Do you have any more insight into whether this will be possible via official means going forward?

No, sorry. DAL plug-ins are way outside of my area of expertise.

My recommendation is that you file an enhancement request requesting a new API for plugging in a video source, one that is compatible with modern security practices. It wouldn’t surprise me if this got closed as a dup, but at least then you’d have hook to hang your complaints on.

If you do file a bug, please post the number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I've created bug report #49296147 asking for a new API. Thanks for the suggestion.


In the meantime, do you know if it's possible to circumvent this restriction, e.g. by disabling a security check or something?


Edit: It looks like disabling SIP via "csrutil disable" allowed the plugin to load. I wonder if that will continue to work.

I've created bug report #49296147 asking for a new API.

Thanks.

do you know if it's possible to circumvent this restriction

Disabling SIP is the canonical way to do this sort of thing, so I’m glad to hear that it’s working in this case as well.

As to how long it’ll keep working, I can’t say anything concrete about that. In general, Apple has been steadily increasing Mac security to combat evolving threats, but the SIP mechanism is already pretty strict.

I will say that I don’t recommend disabling SIP on production machines, because SIP provides important security guarantees. However, ultimately this is your decision to make.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"