Our application can load third-party plugins, which are created as bundles with the .xop extension, if those .xop bundles are placed in a specific directory.
I have created a signed and notarized version of the main application (MyApp.app) which loads the plugins. When I place a signed and notarized .xop bundle within the correct directory and start my application, the plugin bundle is successfully loaded and I don't get any error messages.
If I place a non-code signed and non-notarized bundle in the same directory and start my application, the OS gives a warning that the plugin "cannot be opened because its integrity cannot be verified."
This happens both when the main application has hardened runtime enabled (with appropriate entitlements) and when it is not enabled at all.
Hardened runtime enabled (with entitlements):
% codesign -dv --entitlements :- MyApp.app Executable=[path]/MyApp.app/Contents/MacOS/MyApp Identifier=[redacted] Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=1344903 flags=0x10000(runtime) hashes=42019+5 location=embedded Signature size=9016 Timestamp=Sep 5, 2019 at 12:14:16 AM Info.plist entries=23 TeamIdentifier=[redacted] Runtime Version=10.13.0 Sealed Resources version=2 rules=13 files=48 Internal requirements count=1 size=188 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> <key>com.apple.security.cs.disable-library-validation</key><true/> <key>com.apple.security.cs.disable-executable-page-protection</key><true/> <key>com.apple.security.get-task-allow</key><true/> <key>com.apple.security.device.audio-input</key><true/> <key>com.apple.security.device.camera</key><true/> <key>com.apple.security.automation.apple-events</key><true/> </dict> </plist>
Hardened runtime disabled:
% codesign -dv --entitlements :- MyApp.app Executable=[path]MyApp.app/Contents/MacOS/MyApp Identifier=[redacted] Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=1344795 flags=0x0(none) hashes=42019+3 location=embedded Signature size=9015 Timestamp=Sep 6, 2019 at 9:39:08 AM Info.plist entries=23 TeamIdentifier=[redacted] Sealed Resources version=2 rules=13 files=48 Internal requirements count=1 size=188
Our application is loading the bundle by calling CFBundleLoadExecutable.
Can anyone explain why calling CFBundleLoadExecutable requires that the target bundle be signed and notarized even when the application making the call does not have hardened runtime enabled. Should we be loading the bundle using a call other than CFBundleLoadExecutable?