[MacPorts] #59101: Xcode 11 / hardened runtime require signed libraries
MacPorts
noreply at macports.org
Wed Sep 25 03:20:52 UTC 2019
#59101: Xcode 11 / hardened runtime require signed libraries
------------------------+--------------------
Reporter: MarkCallow | Owner: (none)
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version:
Keywords: | Port:
------------------------+--------------------
Xcode 11 recommends using the Hardened Runtime, which is required for
"notarized" apps.
Without the Hardened Runtime apps could link with dylibs installed with
MacPorts and, provided the user has those MacPorts packages installed, the
app would run. With the HR all libraries must be signed. An app linked to
a MacPort dylib will be aborted by dyld. There are 2 ways to make this
work:
1. Have MacPorts sign all the dylibs it installs.
2. Copy the needed dylibs into the app bundle and sign the copy with the
developer's certificate.
No. 2 is made very difficult because the "install names" of all the
MacPorts libraries are absolute paths (/opt/local/lib/libfoo.dylib). These
means you have to copy the library somewhere, change its install name with
`install_name_tool` to `@rpath/libfoo.dylib`, link to that modified
library then copy it into the app bundle. It would be much easier if the
library install names all used `@rpath/libfoo.dylib`.
I do not have enough background with MacPorts to know which solution,
signing the dylibs or using `@rpath` is more appropriate. I am opening
this to make everyone aware of the issue. I'm also not sure whether to
classify this as a defect or enhancement. I do not know how common it is
for people to distribute apps that expect MacPorts ports to be in place.
--
Ticket URL: <https://trac.macports.org/ticket/59101>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list