Framework fails to load with hardened runtime

Hello,


I have built a piece of code as an external framework which can be optionally installed (in Library/Frameworks).

This worked fine until I've enable hardened runtime in my mac os app (even with the "Disable Library Validation" option set).

Both app and framework have the LC_VERSION_MIN set to 10.9, as suggested in this thread:

https://forums.developer.apple.com/thread/115451

Both app and framework are signed by me. The application is not sandboxed.


Some suggestions?


Thanks,

Bruno

Accepted Reply

mixage and I discussed their issue in depth and managed to work out what was going wrong. Their framework’s install name (the value from the

LC_ID_DYLIB
load command, as displayed by
-D
option in
otool
) was using the
`@rpath
prefix. The hardened runtime puts significant restrictions on the use of
@rpath
because it’s a vector for injecting code into apps, and thus they ran into problems when enabling it.

As their framework was meant to be installed in

/Library/Frameworks/
, changing the install name to an absolute path with that prefix resolved their issue.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Do you load your framework by importing it? Or load it dynamically with, say,

dlopen
?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Imported: The framework is added to my Xcode project as "optional" and not copied inside my frameworks app subfolder. The framework path is the standard Library/Frameworks one. Everything loads correctly until I enable hardened runtime. I can provide a sample project if needed.


Thanks

It’s hard to say what’s going on here. Library validation prevents your app from importing external frameworks like this (documented in the

codesign
man page page), but you’ve already disabled that. I have two theories:
  • Your attempt to disable library validation failed for some reason. How did you confirm that it’s actually off? (A)

  • There’s some other hardened runtime flag that’s preventing your framework from loading (B).

To test A, enable the hardened runtime, disable library validation, remove your import, and run your program. It should launch just fine. Then run

codesign
against your pid. This will tell you whether your library validation change ‘stuck’.

For example, here’s what you see when using the hardened runtime with no exceptions:

$ codesign -d -v --entitlements :- `pgrep test`
…
CodeDirectory v=20500 size=429 flags=0x10000(runtime) hashes=4+5 location=embedded
…
<plist version="1.0">
<dict>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>

And here’s what you see when you disable library validation:

$ codesign -d -v --entitlements :- `pgrep test`
…
CodeDirectory v=20500 size=429 flags=0x10000(runtime) hashes=4+5 location=embedded
…
<dict>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>

To investigate B, disable all of the hardened runtime checks (these are listed in the Runtime Exceptions section of Xcode’s Capabilities editor) and see if you app works. If it does, selective re-enable them to see where it stops working.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks. I will try this ASAP (I wasn't here last days)

The framework is not loaded if hardened runtime is enabled. I have checked the various cases (A and B and others) but there's no way to make it work except by switching of the HR button in XCode. What am I missing?

What am I missing?

I’m not sure. My recommendation is that you open a DTS tech support incident so that we can help you investigate this in more detail.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hello Quinn,


I understand that you are not involved on such question, but I'm at total loss...

I have opened a DTS tech support incident as you suggestes on July 5 and still waiting for a reply... Is it normal ? How can I solicit a reply? By opening another support incident?


Thank you very much 🙂

Bruno

Is it normal ?

No. DTS should send you an initial response within three business days.

I can’t discuss official DTS business here, but if you drop me a line via email (my address is in my signature below), we can take things from there.

Make sure to reference this thread because, as you might imagine, I get a lot of email.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

mixage and I discussed their issue in depth and managed to work out what was going wrong. Their framework’s install name (the value from the

LC_ID_DYLIB
load command, as displayed by
-D
option in
otool
) was using the
`@rpath
prefix. The hardened runtime puts significant restrictions on the use of
@rpath
because it’s a vector for injecting code into apps, and thus they ran into problems when enabling it.

As their framework was meant to be installed in

/Library/Frameworks/
, changing the install name to an absolute path with that prefix resolved their issue.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I got sililar issue and I've tried couple ways don't work at all.

Would you please take a look into this?(Posted here and n StackOverflow)

Thank you so much!!


https://forums.developer.apple.com/message/390019#390019


https://stackoverflow.com/questions/58515410/library-not-loaded-after-runtime-hardened-enabled