9 Replies
      Latest reply on Mar 27, 2020 3:21 AM by sandeeptt
      sandeeptt Level 1 Level 1 (0 points)

        Hi,

         

        We package an Open Source database system called PostgreSQL. This is signed and notarized by us. PostgreSQL is designed to be user extensible, and has various hooks to allow additional functionality to be loaded from shared libraries, which are dynamically loaded at runtime.

         

        We compile the PostgreSQL sources on macOS Mountain Lion (10.8) using MacOSX10.9.sdk with -mmacosx-version-min=10.9. The codesigning is done on the macOS Mojave (10.14) using a Developer ID Application certificate.

         

        When linking with the hardened runtime, the loading of third-party extensions is blocked on macOS Catalina because they are not signed by either Apple or with the same team ID used for PostgreSQL itself. How can we resolve this such that our builds of PostgreSQL are able to load third-party extensions? We used the entitlement "com.apple.security.cs.disable-library-validation" already on the command line option for the codesign binary while signing the app bundle.

         

        Awaiting your feedback. Thanks.

        • Re: mapping process and mapped file (non-platform) have different Team IDs
          eskimo Apple Staff Apple Staff (13,395 points)

          These extensions are being blocked by library validation, one of the many security features enabled by the hardened runtime.  You can opt out of library validation with the com.apple.security.cs.disable-library-validation entitlement.  See my Signing a Mac Product For Distribution post for instructions on how to apply entitlements.

          We used the entitlement com.apple.security.cs.disable-library-validation already on the command line option for the codesign binary while signing the app bundle.

          It’s hard to say why this is not working but I suspect that you’re either not setting this correctly or setting it on the wrong program.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: mapping process and mapped file (non-platform) have different Team IDs
              sandeeptt Level 1 Level 1 (0 points)

              Thanks so much for your response and help. Now, instead of just applying the entitlements on the app bundle, I applied it on all the bundled binaries (postgres, pg_ctl, etc), .so and the dependent .dylibs (using codesign -f -i <> -s <> --options runtime --entitlements <list>) and now the extension loads successfully.

               

              I was also wondering if I need to use 10.14SDK to compile the binaries and .dylibs, to fix this issue, but that doesn't seem be the case now.

               

              Thanks.