0

Compiled release version of my app and copied the bundle over to another machine for testing. Crashes with this:

Dyld Error Message:
  Library not loaded: @rpath/libxxx.dylib
  Referenced from: /Users/USER/Downloads/*/ndncon.app/Contents/MacOS/ndncon
  Reason: no suitable image found.  Did find:
    /Users/remap/Downloads/ndncon2-testing/ndncon.app/Contents/MacOS/../Frameworks/libxxx.dylib: code signature invalid for '/Users/remap/Downloads/ndncon2-testing/ndncon.app/Contents/MacOS/../Frameworks/libxxx.dylib'

I ran verifications:

$ codesign -vv --deep-verify /Users/remap/Downloads/ndncon2-testing/ndncon.app 
/Users/remap/Downloads/ndncon2-testing/ndncon.app: valid on disk
/Users/remap/Downloads/ndncon2-testing/ndncon.app: satisfies its Designated Requirement

and

$ codesign -dvv /Users/remap/Downloads/ndncon2-testing/ndncon.app 
Executable=/Users/remap/Downloads/ndncon2-testing/ndncon.app/Contents/MacOS/ndncon
Identifier=ucla.edu.ndncon
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=8819 flags=0x0(none) hashes=434+3 location=embedded
Signature size=4688
Authority=Mac Developer: g....n@gmail.com (H79XXXX834)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Dec 1, 2016, 12:51:19 PM
Info.plist entries=26
TeamIdentifier=XXXXXXXXX
Sealed Resources version=2 rules=12 files=44
Internal requirements count=1 size=180

and finally,

$ sudo spctl --assess -v /Users/remap/Downloads/ndncon2-testing/ndncon.app 
/Users/remap/Downloads/ndncon2-testing/ndncon.app: accepted
override=security disabled

Not sure why it complains about 1) internal dynamic library and 2) why it complains at all?

peetonn
  • 2,942
  • 4
  • 32
  • 49

1 Answers1

3

We've been dealing with this for the past couple days and finally figured out the issue. Although you don't mention it in the question I'd strongly suspect you are running into this on OS X Yosemite 10.10.5

The issue is that you [quite likely] need to have a sha1 hash in your code signature on Yosemite and you only have a sha256 hash. The codesign utility inspects the binary's deployment target [LC_VERSION_MIN_MACOSX] to detect if it needs to include a sha1 or just sha256 and signs appropriately. For whatever reason "codesign -vv" on Yosemite is incorrectly reporting a valid signature when it obviously is failing.

Of note - this isn't an issue on earlier versions of OS X because library signatures aren't validated until Yosemite.

hemancuso
  • 31
  • 2
  • Thanks for the insight! even though my version is El Captain 10.11.6, I believe this might be the issue. I'll check this. so how did you fix it? – peetonn Dec 06 '16 at 00:33
  • Rebuild specifying an earlier deployment target. An easy way to do that might be to re-build the library on an earlier build of OS X and copy it over. – hemancuso Dec 06 '16 at 18:35
  • trying to rebuild for 10.10 and 10.9 - doesn't help. the library was built using GNU autotools, do you know whether it ties library to a specific macOS version? – peetonn Dec 06 '16 at 22:55
  • run codesign -vvvd and see what the hash options are, make sure sha1 is one of the hash options – hemancuso Dec 07 '16 at 14:52