Library fails to load with hardened runtime

Hi,


Unless I add the com.apple.security.cs.disable-library-validation entitlement, my application won't run with the hardened runtime. When I try to run it, one of the dynamic libraries fails to load, because it was blocked by code signing. Here is the message I get:


dyld: Library not loaded: @executable_path/../Frameworks/libsndfile.1.dylib
  Referenced from: /***/./TwistedWave.app/Contents/MacOS/TwistedWave
  Reason: no suitable image found.  Did find:
    /***/./TwistedWave.app/Contents/MacOS/../Frameworks/libsndfile.1.dylib: code signing blocked mmap() of '/***/./TwistedWave.app/Contents/MacOS/../Frameworks/libsndfile.1.dylib'
    /***/./TwistedWave.app/Contents/MacOS/../Frameworks/libsndfile.1.dylib: stat() failed with errno=1
    /***/TwistedWave.app/Contents/MacOS/../Frameworks/libsndfile.1.dylib: code signing blocked mmap() of '/***/TwistedWave.app/Contents/MacOS/../Frameworks/libsndfile.1.dylib'
    /***/TwistedWave.app/Contents/MacOS/../Frameworks/libsndfile.1.dylib: stat() failed with errno=1


The application is signed, and I have verified that this particular library was signed:


$ codesign -v -v TwistedWave.app/Contents/Frameworks/libsndfile.1.dylib
TwistedWave.app/Contents/Frameworks/libsndfile.1.dylib: valid on disk
TwistedWave.app/Contents/Frameworks/libsndfile.1.dylib: satisfies its Designated Requirement


What is happening, and what should I do about it?


I was able to get the application notarized with the com.apple.security.cs.disable-library-validation entitlement.


Thanks,

Thomas

Replies

What’s the deployment target for that library? You can determine this with the following command:

$ otool -l /path/to/your.dylib | grep -B 1 -A 3 LC_VERSION_MIN
Load command 9
     cmd LC_VERSION_MIN_MACOSX
 cmdsize 16
 version 10.11
     sdk 10.14

The hardened runtime requires library validation, which in turn only works for 10.9 and later. I’ve seen problems like this where the library contains no deployment target info, and things go badly from there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks eskimo!


That was precisely the problem. There was no LC_VERSION_MIN_MACOSX in my library.


I have rebuilt it with the current XCode and it now works fine!


Regards,

Thomas

Hello,


I'm having the same problem. Built a piece of code as an external framework which can be optionally installed (in Library/Frameworks).


This worked fine until I've enable hardened runtime in my mac os app (even with the "Disable Library Validation" option set).


Both app and framework have the LC_VERSION_MIN set to 10.9, as you have suggested.


Both app and framework are signed by me. The application is not sandboxed.


Any suggestions?

I'm having the same problem.

I don’t think that’s true. In ThomasT’s case, disabling library validation fixed the problem, but in your case that doesn’t. Given that, I’m going to ask you to open a new thread (right here in Distribution > Mac Apps) so that we can focus on your issue.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Asked the question here:

https://forums.developer.apple.com/message/365393#365393


Thank you