Child process + Hardened runtime issue

Hi everyone,

I’m working on a plugin host which has a custom plugin scanner using a child process to prevent
crashing the whole application in case of an unstable plugin.

It’s working pretty well but when I codesign my app with the runtime option enabled the scanner behaves as if every plugin was crashing without any further error.

My scanner is a Unix executable located in the resource folder of the app’s bundle.

The command line I use to sign both the app and the scanner is the following:
codesign --force --deep -s "Developer ID Application: ..." -v --timestamp Path/To/Application.app --entitlements Entitlements.plist --options runtime
We just add the library option for the unix executable.

The entitlements I enable: allow-unsigned-executable-memory, disable-library-validation and device.audio-input.

I was wondering if the use of juce::ChildProcess was actually compatible with Apple’s hardened runtime and if anyone knows a workaround.

Thanks for your help.

In these situations, it’s a good idea to check the Console window to see whether the system is giving a reason for the failure.

To test this, I tried enabling the hardened runtime on the AudioPluginHost (which also has an out-of-process scanning mode now!). Initially I saw the same behaviour as you. According to the console, library loading was failing because the Team IDs of the plugin signature and the host signature were different. I added the com.apple.security.cs.disable-library-validation key to my entitlements and re-signed the AudioPluginHost, and then was able to validate plugins as expected.

You can find more information about the required entitlement here.

1 Like

Hi again,

Good call! Thank you!
I was actually applying the following command line to the Unix executable in charge of the plugin scan:
codesign --force --deep -s "Developer ID Application: ..." -v --timestamp Path/To/Executable --entitlements Entitlements.plist --options runtime,library

The --options runtime,library is not right because the library option forces the validation to be enabled despite the disable-library-validation entitlement. Btw this seems to be the only thing the library option does, so I don’t know why I enabled it.

Thank you again.