Search code examples
apple-m1code-signingcodesignnotarize

MacOS codesignature invalid after adding entitlements

I'm signing a small command line TCP listener for Mac M1 which usually signs and notarizes correctly using the following command:

codesign --sign $IDENTITY --options runtime --timestamp server/executable

In order to enrich the features of our listener we may need to load JVM library from Oracle, in order to be allowed to load a third party dyamic library I've introduced an entitlements plist file called macos-entlist.plist as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-jit</key>
    <false/>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <false/>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <false/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.get-task-allow</key>
    <false/>
</dict>
</plist>

And changed my codesign command as follows:

codesign --sign $IDENTITY --entitlements macos-entlist.plist --options runtime --timestamp server/executable

After adding the entitlements feature to my codesigning and notarization logic my ZIP file still passes the notarization phase but when I try to run executable I get an error message saying that executable cannot be opened because the developer cannot be verified.

The issue happens regardless the contents of macos-entlist.plist (eg: even setting all the values to false I still get the error) it seems that that the mere introduction of the parameter --entitlements macos-entlist.plist causes the executable to not be valid anymore despite the fact that the notarization phase succeeds.

Curiously other command line executable files in my ZIP signed with the same command are still running fine.

Do you have any suggestions on how I can correctly introduce entitlements?

Solution

  • Thanks to the Apple tech support I've been able to solve the issue.

    The problem was due to the fact that when com.apple.security.cs.disable-library-validation is enabled MacOS gatekeeper makes additional checks to make sure the library loading is safe and a shared library is not replaced or injected with malicious code.

    To overcome the extra checks I needed to repackage my program as a MacOS Bundle by creating a specific directory structure to contain my exectuable and its utilities, I also had to insert an Info.plist file to make my main directory a valid MacOS Bundle.

    I found interesting these readings on Apple forums: https://developer.apple.com/forums/thread/706437 https://developer.apple.com/forums/thread/706414

    It was very helpful for me to mimic the structure of jdk 17 .tar.gz for MacOS.