Hi, I have created a conda python environment which I have packaged into a .tar.gz (using conda-pack) and which runs correctly when extracted (in this example, it only contains the scipy package). However, when I sign the necessary files within the environment (i.e. the binaries, the dylibs, the .so files), attempting to load scipy.sparse now fails with the error "mapped file has no cdhash, completely unsigned" about one of the .so files. Furthermore, I believe that this file does in fact have a cdhash. The signing process represented by my example below has been working for about a year, and I am unsure why it has suddenly stopped working. I am on a 2020 MacBook Pro with an i7 processor and running Sequoia 15.1.1. Here is a minimal example showing the creating of the conda environment, codesigning, and the error message. Many thanks in advance! # Create and activate conda env > conda create -y -n mwe_env python=3.10 > conda activate mwe_env # Verify scipy not initially installed (mwe_env) > python Python 3.10.16 (main, Dec 11 2024, 10:24:41) [Clang 14.0.6 ] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import scipy Traceback (most recent call last): File "<stdin>", line 1, in <module> ModuleNotFoundError: No module named 'scipy' (mwe_env) > pip install scipy Collecting scipy Downloading scipy-1.15.2-cp310-cp310-macosx_14_0_x86_64.whl.metadata (61 kB) Collecting numpy<2.5,>=1.23.5 (from scipy) Downloading numpy-2.2.4-cp310-cp310-macosx_14_0_x86_64.whl.metadata (62 kB) Downloading scipy-1.15.2-cp310-cp310-macosx_14_0_x86_64.whl (25.1 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 25.1/25.1 MB 17.3 MB/s eta 0:00:00 Downloading numpy-2.2.4-cp310-cp310-macosx_14_0_x86_64.whl (7.0 MB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 7.0/7.0 MB 16.4 MB/s eta 0:00:00 Installing collected packages: numpy, scipy Successfully installed numpy-2.2.4 scipy-1.15.2 (mwe_env) > python Python 3.10.16 (main, Dec 11 2024, 10:24:41) [Clang 14.0.6 ] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import scipy.sparse >>> # success! # Package conda env (mwe_env) > conda-pack --output mwe_env.tar.gz --name mwe_env Collecting packages... Packing environment at '/path/to/my/conda/envs/mwe_env' to 'mwe_env.tar.gz' [########################################] | 100% Completed | 7.8s (mwe_env) > conda deactivate > mkdir mwe_dir && cd mwe_dir > tar -xzvf ../mwe_env.tar.gz > source bin/activate (mwe_dir) > python Python 3.10.16 (main, Dec 11 2024, 10:24:41) [Clang 14.0.6 ] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import scipy.sparse >>> # success! # Sign the binaries and .dylibs and .so files (mwe_dir) > find bin -type f | xargs -n1 xcrun codesign -f -o runtime --timestamp --sign "Developer ID Application: MY_TEAM_ID" (mwe_dir) > find . -name "*.dylib" -o -name "*.so" -type f | xargs -n1 xcrun codesign -f -o runtime --timestamp --sign "Developer ID Application: MY_TEAM_ID" # the second command prints many lines saying it is "replacing existing signature" (mwe_dir) > python Python 3.10.16 (main, Dec 11 2024, 10:24:41) [Clang 14.0.6 ] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import scipy.sparse Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/__init__.py", line 315, in <module> from . import csgraph File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/csgraph/__init__.py", line 187, in <module> from ._laplacian import laplacian File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/csgraph/_laplacian.py", line 7, in <module> from scipy.sparse.linalg import LinearOperator File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/__init__.py", line 134, in <module> from ._eigen import * File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/__init__.py", line 9, in <module> from .arpack import * File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/__init__.py", line 20, in <module> from .arpack import * File "/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/arpack.py", line 50, in <module> from . import _arpack ImportError: dlopen(/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so, 0x0002): tried: '/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' (code signature in <5DD8FC01-7360-3DB9-8273-C8A45ABB19A9> '/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' not valid for use in process: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.), '/System/Volumes/Preboot/Cryptexes/OS/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' (no such file), '/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' (code signature in <5DD8FC01-7360-3DB9-8273-C8A45ABB19A9> '/path/to/mwe_dir/conda_env/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so' not valid for use in process: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.) # But: (mwe_dir) > xcrun codesign -dvvv /path/to/mwe_dir/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so Executable=/path/to/mwe_dir/lib/python3.10/site-packages/scipy/sparse/linalg/_eigen/arpack/_arpack.cpython-310-darwin.so Identifier=_arpack.cpython-310-darwin Format=Mach-O thin (x86_64) CodeDirectory v=20400 size=4318 flags=0x10000(runtime) hashes=129+2 location=embedded Library validation warning=OS X SDK version before 10.9 does not support Library Validation Hash type=sha256 size=32 CandidateCDHash sha256=816731ecd1ad01b38555cbfef8c000628696d0ca CandidateCDHashFull sha256=816731ecd1ad01b38555cbfef8c000628696d0ca53376aebf6fae28d8c02f519 Hash choices=sha256 CMSDigest=816731ecd1ad01b38555cbfef8c000628696d0ca53376aebf6fae28d8c02f519 CMSDigestType=2 CDHash=816731ecd1ad01b38555cbfef8c000628696d0ca Signature size=9000 Authority=Developer ID Application: MY_TEAM_ID Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=2 Apr 2025 at 16:24:52 Info.plist=not bound TeamIdentifier=MY_TEAM_ID Sealed Resources=none Internal requirements count=1 size=188

I’ve developed a macOS app, but I’ve had trouble using a script to fully codesign it and package it into a .dmg file. I was only able to complete codesigning using the third-party app itself—not via command-line scripts. Is it possible to write a script that automates the entire process of codesigning the app? To provide the best user experience for those downloading the app outside of the Mac App Store, is it correct to first package it as a .app and then wrap that into a .dmg file for distribution? Currently, the app is available on the web as a .dmg. When downloaded, it appears in a folder and can be double-clicked to launch. However, macOS displays a warning that it was downloaded from the internet. Can I use a script to remove that quarantine warning? If possible, I’d appreciate a step-by-step explanation and a sample command-line script to: Codesign the app properly Package it into a signed .dmg Remove the quarantine attribute for local testing or distribution Is the reason I was only able to codesign it inside the third-party app due to how that app was built, or can this always be done from the command line?

Yes, this is very likely the completely wrong way to do things but I would like to ask regardless. Currently with windows/linux I can perform an in-situ upgrade of an application by performing a download of the binary 'foo' and then doing a rename-and-replace and subsequently requesting the licencee to restart the program and all is good. With macOS, as the binary is within the foo.app ( Contents/macOS/foo ) I imagine I cannot perform a similar operation without breaking the signing of the foo.app itself? ....or, can I individually sign the binary foo for macOS and perform the same type of operation? Download new foo as foo.new rename current foo.app/Content/macOS/foo -> foo.old rename foo.new -> foo Restart application Again, I know this is very likely an un-macOS way of performing the task but as you can imagine with supporting cross-platform development it's usually easier to maintain a consistent method even if it's "not ideal".

Displaying attribute for a private key I see a number of applications that are allowed to access it without needing a password e.g. racoon; Keychain Access.app; Certificate Assitant.app etc.. I want to add /usr/bin/codesign to the list but the gui window that pops up when I click on + doesn't seem to allow me to do that :( How do I do it please

Hello, I am normally a windows programmer, but I am trying to get my PySide/Qt app into the app store. I'm almost there, I just have a couple of questions about the signing process. I have two laptops, one intel silicon, one mac silicon. I created 2 CSR's, one on each laptop and used them to generate 2 Mac Installer Distribution certificates and 2 Mac App Distribution certificates. When it came to downloading the provisioning profile, I selected one Mac App Distrbution Certificate on the interface at developer.apple.com, saved it and then downloaded to the appropriate laptop. I then switched the provisioning profile to the other Mac App Distribution Certificate and downloaded it to the other laptop. I then built the app and uploaded everything using xcrun altool. On the intel machine only(which has the first provisioning profile) I successfully uploaded the package but I get an email identifying lots of similar errors of the type (Lets call it error1): ITMS-90284: Invalid Code Signing - The executable XXXXX must be signed with the certificate that is contained in the provisioning profile. On the ARM machine only i get the following error (Lets call it error2): ITMS-91109: Invalid package contents - The package contains one or more files with the com.apple.quarantine extended file attribute, such as XXXXXXXX embedded.provisionprofile”. This attribute isn’t permitted in macOS apps distributed on TestFlight or the App Store. Please remove the attribute from all files within your app and upload again. On both I get the following error lets call it error3: ITMS-90886: 'Cannot be used with TestFlight because the signature for the bundle at XXXXX is missing an application identifier but has an application identifier in the provisioning profile for the bundle. Bundles with application identifiers in the provisioning profile are expected to have the same identifier signed into the bundle in order to be eligible for TestFlight.' My first inclination is that all the error1's are coming from having two sets of CSRs, Mac Distribution certificates, provisioning profiles etc. Should I have only used one CSR and made one each of the Certificates? I don't know why I have error2. I don't know where the quarantine attribute is coming from and why it would affect the mac silicon and not the intel. Any ideas? my entitlements file has the following: <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.device.bluetooth</key> Error3 is the one where I need to try a few things but knowing what is expected will help. In the provisioning profile when viewed at developer.apple.com it has the APP ID listed as the 10 digit id followed by the bundle ID but I sometimes see just the 10 digit app ID being used and sometimes the bundle ID. I know that it's up to me to figure out how to get it into the build, but knowing what it should be would be helpful. On the other hand the text "Bundles with application identifiers in the provisioning profile ..." indicates that if the application identifier was not in the provisioning profile i might get away with it, but this might be grasping at straws. If you have made it this far, thank you for reading.

Hi all, I’ve run into a signing/entitlements problem that shows up only on Big Sur (11.x). The very same .app launches perfectly on Monterey (12), Ventura (13), Sonoma (14 / 14.5) and Sequoia (15). Failure on macOS 11 com.apple.xpc.launchd[1] (application.app.myapp.exams.566312.566318[1602]): removing service since it exited with consistent failure – OS_REASON_CODESIGNING | When validating …/MyAppNameBlurred 3.13.1.app/Contents/MacOS/MyAppNameBlurred 3.13.1: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: Binary is improperly signed. Launching from Terminal: open -a "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" kLSNoLaunchPermissionErr (-10826) | Launchd job spawn failed with error: 153 What I’ve already checked # signature itself codesign -dvvv "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => valid, Authority = Developer ID Application, runtime enabled # full deep/strict verification codesign --verify --deep --strict -vvv "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => “satisfies its Designated Requirement” # Gatekeeper assessment spctl --assess --type execute --verbose=4 "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => accepted (override security disabled) # embedded provisioning profile matches bundle ID codesign -d --entitlements :- "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" | plutil -p - security cms -D -i "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app/Contents/embedded.provisionprofile" \ | plutil -extract Entitlements xml1 -o - # => both show the AAC entitlement and everything looks in order # notarization ticket stapler validate "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" # => “The validate action worked!” Deployment target: MACOSX_DEPLOYMENT_TARGET = 11.0 Entitlement added: com.apple.developer.automatic-assessment-configuration = true Provisioning profile: generated this year via Developer ID, includes the assessment entitlement and nothing else unusual. Runtime code: we call AEAssessmentSession's network configuration part only on 12 + (guarded with @available(macOS 12.0, *)). Has anyone hit this mismatch on 11.x? Could Big Sur be expecting something older or idk? Any pointers appreciated! Thanks!

In the LightweightCodeRequirements framework, there is a LaunchCodeRequirement object which can be used as a requirement object for a Process for example. What I don't understand (I admit my macOS low-level knowledge is limited) is that how can this be used in a secure way that doesn't fall victim of a Time-of-Check/Time-of-Use issue. e.g. I specify a LaunchCodeRequirement via Process.launchRequirement for my process, let's say /usr/local/bin/mycommandlinetool. The LaunchCodeRequirement specifies my development team and a developer ID certificate. The process must be started in some form, before a SecCode/SecTask object can be created, rather than a SecStaticCode object (which only guarantees its validity checks to be intact as long as the file is not modified). But if the process was started, then I have no tools in my set to prevent it from executing its initialization code or similar. Then, by the time I'm able to check via SecCode/SecTask functions the LaunchCodeRequirement, I might have already ran malicious code - if mycommandlinetool was maliciously replaced. Or does the operating system use a daemon to copy the executable specified for Process to a secure location, then creates the SecStaticCode object, assesses the LaunchCodeRequirement and if passed, launches the executable from that trusted location (which would make sure it is immutable for replacement by malicious actors)? I have a hard time understanding how this works under the hood - if I remember correctly these are private APIs.

Coming from Windows, I'm finding Mac app packaging farcically complicated, to the level of a Python sketch. I mastered Windows packaging, via Inno, in an hour or so, but it has taken me, on and off, the best part of a week to get to the point I am at with the Mac OS, and I'm nowhere near finished (rather, it hasn't finished with me). Every time I surmount one hurdle, another pops up, seemingly just for the jollies. I'm currently stuck at: 'Error: HTTP status code: 403. A required agreement is missing or has expired. This request requires an in-effect agreement that has not been signed or has expired. Ensure your team has signed the necessary legal agreements and that they are not expired.' My account lists no agreements in this category. I understand the need for security, but not the labyrinthine nature of the process. An inner-party member in the former Soviet Union overheard a drunken Stalin say, “I trust no one; not even myself". Apple trusts no one, but has true contempt for developers. Is there a simple way to work through the packaging process? Let me rephrase that: please God, let there be a simpler way of working through the process! Regards, in extremis, Richard

I am trying to code sign an application which relies on many python libraries to run. For background knowledge, the .app was created with a —onefile command on Visual Studio. I code signed my application itself using codesign --deep --force --verify --timestamp --sign "Developer ID Application: Issey Yohannes (GL5BCCW69X)" /Users/isseyyohannes/Desktop/Automated\ ALGORA.app However, when I try to run the application the error shows in terminal as follows [PYI-16345:ERROR] Failed to load Python shared library '/var/folders/g9/2zbc7y_97xxbq7bnc301nnyc0000gn/T/_MEI6keRcA/Python': dlopen: dlopen(/var/folders/g9/2zbc7y_97xxbq7bnc301nnyc0000gn/T/_MEI6keRcA/Python, 10): no suitable image found. Did find: /var/folders/g9/2zbc7y_97xxbq7bnc301nnyc0000gn/T/_MEI6keRcA/Python: code signature in (/var/folders/g9/2zbc7y_97xxbq7bnc301nnyc0000gn/T/_MEI6keRcA/Python) not valid for use in process using Library Validation: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?) /var/folders/g9/2zbc7y_97xxbq7bnc301nnyc0000gn/T/_MEI6keRcA/Python: stat() failed with errno=1 Through some external tools, I was able to narrow the issue as follows Hardened Runtime Restriction: Your application is attempting to load a shared library (Python) at runtime, but the library is either: Not properly signed with the same Team ID as your app. Not marked as a valid platform binary. macOS requires all loaded libraries to comply with its code-signing and runtime security policies. Any insight is much appreciated.

I've noticed that NSTaks has this property as of macOS 14.4 @property (nullable, copy) NSData *launchRequirementData API_AVAILABLE(macos(14.4)) API_UNAVAILABLE(ios, watchos, tvos, visionos); It has no documentation whatsoever. Even google search has no clue. Does this have anything to do with code signature requirements validation? Any explanations and examples would be appreciated!

Hi everyone. Sorry if this is not an appropriate forum section for this question. I'm making a game engine and it doesn't launch on my colleague's MacBook, although it does launch on mine. There's an application file, let's say, Sample.app. And along with it in the same folder there's Engine.dylib. If we look at the app-file structure, the executable file's path is Contents/MacOS/Sample. So for the executable file the library is located at the path ../../../Engine.dylib. But when my colleague runs the Sample.app file, he gets an error "Library not loaded: @executable_path/../../../Engine.dylib". Although the path is correct and on my MacBook it works. Are there any ideas how to fix it?

Hi, I'm doing Java 22 experiments with open source package "wgpu-macos-aarch64-release" on my Mac M3. This library contains a .dylib file and a .a file. In Java you can load native dynamic libraries using JNI. I used that in the past. Now in MacOS 15 this stopped working. Currently, I compile my Java file and run the binary file on the command line, including the library directory. The application would load the library from that directory. This should normally works but the library is not loaded. After some investigation it seems the .dylib is rejected by MacOS. Calling spctl --assess --verbose=4 libwgpu_native.dylib gives libwgpu_native.dylib: rejected without any extra reason message. Using sudo xattr -rd com.apple.quarantine libwgpu_native.dylib doesn't solve the problem. I also can't "accept" it in "Privacy & Security" because it's run as a command line call. I know that code signing should be done for "complete" applications. But these are just experiments and working with single dynamic libraries. How should this be done, to be able to load those libraries in a Java command line program? Or in general, how can you load an unsigned dylib in an application (apart from using Java as a tool). Kr, J

I am developing a macOS app that requires the Associated Domains entitlement. The app will be distributed as a custom app. The app needs to be signed using Team A’s Developer ID Application certificate and packaged under Team A’s Team ID. Team A has a secure signing and packaging setup, but they do not provide access to their Developer ID Application Identity (cert) or their provisioning profile. I am part of Team B and have access to Team B’s Developer ID Application identity and provisioning profiles. I am thinking of doing the following: I create a provisioning profile under Team B that authorizes the Associated Domains entitlement. I sign the app using Team B’s Developer ID Application identity, ensuring the required entitlements are included. Then, I re-sign the app using Team A’s Developer ID Application identity, since Team A has also set up the same bundle ID with the Associated Domains entitlement and corresponding provisioning profile. Questions: Is this approach correct & does it have any drawback? Will the double signing process work without issues, given that Team A has the required provisioning profile for the same bundle ID? Are there better ways to handle this situation where signing must be done under Team A but access is limited? Thanks!

When I first tried to sign my local unit test with the identity generated by Xcode, it failed because the intermediate certificate was missing. In that case, the error message explained that the trust chain could not be completed. But after installing the correct intermediate, codesign still fails, but no longer gives any explanation: codesign -f -s '0EFE7E591A4E690842094B8EC5AFDFE059637D3C' build/Darwin-Xcode-arm64_obf/bin/Release/UNITTEST build/Darwin-Xcode-arm64_obf/bin/Release/UNITTEST: replacing existing signature build/Darwin-Xcode-arm64_obf/bin/Release/UNITTEST: errSecInternalComponent It's the same error line "errSecInternalComponent". Is there a log somewhere that might explain what exactly is the error?

All libraries are getting rejected with errors like: not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs

The Codesign command adds extended attributes to files that previously had no extended attributes. In my case codesign add following extended attributes to text file in Frrameworks folder: com.apple.cs.CodeDirectory com.apple.cs.CodeRequirements com.apple.cs.CodeRequirements-1 com.apple.cs.CodeSignature Can I somehow prevent this behavior? Thank you.

Hello, I'm working on an app at work and we finally got to signing and notarizing the app. The app is successfully notarized and stapled, I packaged it in a .dmg using hdiutil and went ahead and notarized and stapled that as well. Now I tried to move this app to another machine through various methods. But every time I download it from another machine, open and extract the contents of the dmg and attempt to open the app, I get the "Apple could not verify my app is free of malware that may harm your Mac or compromise your privacy. When I check the extended attributes there's always the com.apple.quarantine attribute which from what I know, is the reason that this popup appears I've tried uploading it to google drive, sending through slack, onedrive, even tried our AWS servers and last but not least, I tried our Azure servers (which is what we use for distribution of the windows version of our app). I tried uploading to Azure through CloudBerry (MSP360 now), and azure-cli defining the content-type as "application/octet-stream", the content-disposition as "attachment; filename=myApp.dmg", and content-cache-control as "no-transform". None of these worked The only times where a download actually worked with no problems was when I downloaded through the terminal using curl, which obviously not a great solution especially that we're distributing to users who aren't exactly "tech savy" I want the installation experience to be as smooth as other apps outside the App Store (i.e Discord, Slack, Firefox, Chrome etc....) but I've been stuck on this for more than a week with no luck. Any help is greatly appreciated, and if you want me to clarify something further I'd be happy to do so

Hello I have a qt, CMAKE app, non-xcode one till xcode start supporting cmake. I have 3 apps, 2 basic ones and 1 very complex ones. My complex one build/links/notarises/validates/deploys beautifly. I have tear in my eye when I see it build. The other 2 apps explode and torment me for past 5 days. The build proves is 99% the same, the only thing that a little changes are info.plist and app name+ some minor changes. Its absolutely bananas and I can't fix it, I'm running out of ideas so if any1 could sugged anything, I'll buy &amp; ship you a beer. Anyway, errors: Log: Using otool: Log: inspecting "/Users/dariusz/Qt/6.9.1/macos/lib/QtCore.framework/Versions/A/QtCore" Log: Could not parse otool output line: "/Users/dariusz/Qt/6.9.1/macos/lib/QtCore.framework/Versions/A/QtCore (architecture arm64):" Log: Adding framework: Log: Framework name "QtCore.framework" Framework directory "/Users/dariusz/Qt/6.9.1/macos/lib/" Framework path "/Users/dariusz/Qt/6.9.1/macos/lib/QtCore.framework" Binary directory "Versions/A" Binary name "QtCore" Binary path "/Versions/A/QtCore" Version "A" Install name "@rpath/QtCore.framework/Versions/A/QtCore" Deployed install name "@rpath/QtCore.framework/Versions/A/QtCore" Source file Path "/Users/dariusz/Qt/6.9.1/macos/lib/QtCore.framework/Versions/A/QtCore" Framework Destination Directory (relative to bundle) "Contents/Frameworks/QtCore.framework" Binary Destination Directory (relative to bundle) "Contents/Frameworks/QtCore.framework/Versions/A" Log: copied: "/Users/dariusz/Qt/6.9.1/macos/lib/QtWebSockets.framework/Versions/A/QtWebSockets" Log: to "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/A/QtWebSockets" Log: copy: "/Users/dariusz/Qt/6.9.1/macos/lib/QtWebSockets.framework/Resources" "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/A/Resources" Log: copied: "/Users/dariusz/Qt/6.9.1/macos/lib/QtWebSockets.framework/Resources/Info.plist" Log: to "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/A/Resources/Info.plist" Log: copied: "/Users/dariusz/Qt/6.9.1/macos/lib/QtWebSockets.framework/Resources/PrivacyInfo.xcprivacy" Log: to "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/A/Resources/PrivacyInfo.xcprivacy" Log: symlink "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/QtWebSockets" Log: points to "Versions/Current/QtWebSockets" Log: symlink "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Resources" Log: points to "Versions/Current/Resources" Log: symlink "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/Current" Log: points to "A" Log: Using install_name_tool: Log: in "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/MacOS/Agameri_Toolbox" Log: change reference "@rpath/QtWebSockets.framework/Versions/A/QtWebSockets" Log: to "@rpath/QtWebSockets.framework/Versions/A/QtWebSockets" ERROR: "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: fatal error: file not in an order that can be processed (link edit information does not fill the __LINKEDIT segment): /AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/MacOS/Agameri_Toolbox\n" ERROR: "" Even tho I get that error, it will "Notarize" and "greenlight by gatekeeper. So my automatic build app if he sees error with the __LINKEDIT it will stop deployment. But even tho he "stops" release of app to public I can still go check binary and when I try to run that I get: Library not loaded: @rpath/QtConcurrent.framework/Versions/A/QtConcurrent Referenced from: &lt;69A296DB-8C7D-3BC9-A8AE-947B8D6ED224&gt; /Volumes/VOLUME/*/Agameri_Toolbox.app/Contents/MacOS/Agameri_Toolbox Reason: tried: '/Users/dariusz/Qt/6.9.1/macos/lib/QtConcurrent.framework/Versions/A/QtConcurrent' (code signature in &lt;192D5FAC-FE8C-31AB-86A7-6C2CE5D3E864&gt; '/Users/dariusz/Qt/6.9.1/macos/lib/QtConcurrent.framework/Versions/A/QtConcurrent' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS/Users/dariusz/Qt/6.9.1/macos/lib/QtConcurrent.framework/Versions/A/QtConcurrent' (no such file), '/Volumes/DEV_MAC/02_CODE/Dev/Icarus.nosync/Icarus_Singleton/codeSingleton/libOutput/Release/QtConcurrent.framework/Versions/A/QtConcurrent' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/Volumes/DEV_MAC/02_CODE/Dev/Icarus.nosync/Icarus_Singleton/codeSingleton/libOu (terminated at launch; ignore backtrace) And here is my build script, its QT based application, I'm using macdeployqt + my own custom signing as the one from macdeployqt breaks on the complex app. (I will post it in next post as apparently there is 7k limit O.O) I've tried to replace the @rpath/ to @executable_path but that has made a million new issues and I'm just lost.

The driver does not show up in the app settings after switching to “DriverKit USB Transport - VendorID”. Previously, the app used “DriverKit USB Transport (development)” and everything worked as expected. The entitlements looked like this: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.driverkit</key> <true/> <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <string>*</string> </dict> </array> </dict> </plist> I received approval to use “DriverKit USB Transport - VendorID”. I updated the App ID configuration in the portal, removed all development entitlements, updated the provisioning profile, and edited the driver’s .entitlements as follows: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.driverkit</key> <true/> <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <integer>1111</integer> </dict> </array> </dict> </plist> The app installs on an iPad with an M processor, but the driver does not appear in the settings. In the logs I see the following: 272 debug 19:50:42.005193+0300 installd 7935 signing bytes in 5 blob(s) from /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bugkAE/extracted/Payload/****.app/SystemExtensions/****Driver.dext/****.Driver(arm64) 272 debug 19:50:42.012068+0300 installd open(/var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.bugkAE/extracted/Payload/****.app/SystemExtensions/net.svedm.****.SDRDriver.dext/Info.plist,0x0,0x1b6) = 4 272 debug 19:50:42.012712+0300 installd 0xc2e14c618 done serializing <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>application-identifier</key><string>****.Driver</string><key>com.apple.application-identifier</key><string>****</string><key>com.apple.developer.driverkit</key><true/><key>com.apple.developer.driverkit.transport.usb</key><array><dict><key>idVendor</key><integer>3034</integer></dict></array><key>com.apple.developer.team-identifier</key><string>****</string><key>com.apple.security.get-task-allow</key><true/><key>get-task-allow</key><true/></dict></plist> 0 error 19:53:08.930054+0300 kernel Sandbox: MyApp(844) deny(1) sysctl-read kern.bootargs 0 error 19:53:08.931571+0300 kernel Sandbox: driverkitd(77) deny(1) syscall-unix 284 syscall-unix-denied-SIGKILL 0 error 19:53:09.985946+0300 kernel 1 duplicate report for Sandbox: driverkitd(77) deny(1) syscall-unix 284 syscall-unix-denied-SIGKILL 0 error 19:53:09.985985+0300 kernel Sandbox: MyApp(844) deny(2) file-test-existence /usr/bin/swift-backtrace 0 error 19:53:09.986011+0300 kernel Sandbox: MyApp(844) deny(2) file-test-existence /usr/bin/arm64e But I don’t quite understand what is going wrong. Any ideas?

We recently had an external pentest for one of our company's macOS applications and they brought up the topic of library validation. Our app has hardened runtime enabled and passes notarization. The codesign verification output includes: flags=0x10000(runtime) The pentesters brought up that both validation and runtime should be present, so I discovered that you could also add library validation by augmenting our flags with: OTHER_CODE_SIGN_FLAGS = --timestamp -o library which changes the flags to: flags=0x12000(library-validation,runtime) The pentesters insist that both options are necessary, especially to avoid library injection when SIP is off, but Apple's docs say that hardened runtime already implies library validation (see here ) My question is: does explicitly specifying library validation provide something that hardened runtime does not already? Or is it correct that hardened runtime already imply library validation? For what it's worth, I did a quick scan of some of the apps on my system, interesting some of the Apple system apps have only library validation (e.g. Safari, Photos), some have both (e.g. Podcasts), some have only hardened runtime (e.g. Mail). So that didn't help answer the question. Thank you!