2 Replies
      Latest reply on Jun 13, 2019 2:10 AM by eskimo
      FxFactory Level 1 Level 1 (0 points)



        My software installs frameworks in the local domain (/Library/Frameworks) that are accessed from third-party apps. Some of these apps are simply code-signed, others are sandboxed. They are obviously signed by other companies, and so far there have been no problems on the part of DYLD in loading and executing code inside our frameworks. The loader is happy to continue looking for our framework outside the app container, in the case of sandboxed apps.


        What changes are necessary to ensure that our frameworks remain accessible from hardened apps? Hardened Runtime, to the best of my understanding, only allows executables to load code that has been code-signed by the same team, or by Apple. I also think that hardened runtime affects only executables, and yet when I enable the ENABLE_HARDENED_RUNTIME setting in Xcode on my framework targets (via xcconfig) it clearly influences the way they are signed, and suddenly these "hardened frameworks" fail to be loaded by third-party apps, even if these apps aren't yet hardened themselves. In what its perhaps the key to solving this issue, how can one mark non-app targets to enable the library-validation exception? Why would a non-hardened app fail to load code whose only difference may be a simple flag (kill,runtime) in its signature?


        Maybe I'm wrong to assume that non-app targets deserve any special treatment, but the fact remains that when I enable hardened runtime, our code simply stops being "seen" and loaded by DYLD, with all other variables remaining identical.


        Thank you!