Opened 3 years ago

Last modified 3 years ago

#59101 new defect

Xcode 11 / hardened runtime require signed libraries

Reported by: MarkCallow (Mark Callow) Owned by:
Priority: Normal Milestone:
Component: ports Version:
Keywords: Cc:
Port:

Description

Xcode 11 recommends using the Hardened Runtime, which is required for "notarized" apps.

Without the Hardened Runtime apps could link with dylibs installed with MacPorts and, provided the user has those MacPorts packages installed, the app would run. With the HR all libraries must be signed. An app linked to a MacPort dylib will be aborted by dyld. There are 2 ways to make this work:

  1. Have MacPorts sign all the dylibs it installs.
  2. Copy the needed dylibs into the app bundle and sign the copy with the developer's certificate.

No. 2 is made very difficult because the "install names" of all the MacPorts libraries are absolute paths (/opt/local/lib/libfoo.dylib). These means you have to copy the library somewhere, change its install name with install_name_tool to @rpath/libfoo.dylib, link to that modified library then copy it into the app bundle. It would be much easier if the library install names all used @rpath/libfoo.dylib.

I do not have enough background with MacPorts to know which solution, signing the dylibs or using @rpath is more appropriate. I am opening this to make everyone aware of the issue. I'm also not sure whether to classify this as a defect or enhancement. I do not know how common it is for people to distribute apps that expect MacPorts ports to be in place.

Change History (2)

comment:1 Changed 3 years ago by jmroot (Joshua Root)

Unfortunately MacPorts does not have a Developer ID at this time. Even if it did, only prebuilt binaries could be signed with our ID. Anything built locally would need to use a certificate belonging to the user.

Note that the dylibbundler port can make option 2 easier.

comment:2 Changed 3 years ago by ryandesign (Ryan Schmidt)

I don't think there's anything we can change in MacPorts in regard to this issue.

Note: See TracTickets for help on using tickets.