Merge pull request #203 from solver-it-sro/fix-macos-dylib-load

fix: macos hardened runtime refusing to load external dylib
slovensko-digital · Jun 11, 2023 · 5f7f49b · 5f7f49b
2 parents 476fc21 + 6a0fbc0
commit 5f7f49b
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 0 deletions.
diff --git a/DEVELOPER.md b/DEVELOPER.md
@@ -177,6 +177,19 @@ extracting
 pkgutil --expand-full Autogram.pkg autogram-pkg-extracted
 ```
 
+
+### Loading external dylib libraries
+
+By default MacOS Gatekeeper allows loading dylib only from secure paths 
+
+> Beginning with macOS 10.10.4, Gatekeeper verifies that no libraries are loaded from outside an app bundle.
+
+we can use `com.apple.security.cs.disable-library-validation` entitlement to disable this check (there may be better workaround with )
+
+https://developer.apple.com/library/archive/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG207
+https://stackoverflow.com/questions/57667467/dylib-library-not-loaded-due-to-restricted-binary-after-apple-code-signing
+https://wiki.freepascal.org/Hardened_runtime_for_macOS
+
 ### More Resources
 
 - https://github.com/openjdk/jdk/tree/master/src/jdk.jpackage/macosx/classes/jdk/jpackage/internal

diff --git a/src/main/scripts/macos-cleanup-keychain.sh b/src/main/scripts/macos-cleanup-keychain.sh
diff --git a/src/main/scripts/macos-setup-keychain.sh b/src/main/scripts/macos-setup-keychain.sh
diff --git a/src/main/scripts/resources/Autogram.entitlements b/src/main/scripts/resources/Autogram.entitlements
@@ -10,5 +10,7 @@
     <true/>
     <key>com.apple.security.cs.allow-dyld-environment-variables</key>
     <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
 </dict>
 </plist>