I’m working on a plugin host which has a custom plugin scanner using a child process to prevent
crashing the whole application in case of an unstable plugin.
It’s working pretty well but when I codesign my app with the runtime option enabled the scanner behaves as if every plugin was crashing without any further error.
My scanner is a Unix executable located in the resource folder of the app’s bundle.
The command line I use to sign both the app and the scanner is the following: codesign --force --deep -s "Developer ID Application: ..." -v --timestamp Path/To/Application.app --entitlements Entitlements.plist --options runtime
We just add the library option for the unix executable.
The entitlements I enable: allow-unsigned-executable-memory, disable-library-validation and device.audio-input.
I was wondering if the use of juce::ChildProcess was actually compatible with Apple’s hardened runtime and if anyone knows a workaround.
In these situations, it’s a good idea to check the Console window to see whether the system is giving a reason for the failure.
To test this, I tried enabling the hardened runtime on the AudioPluginHost (which also has an out-of-process scanning mode now!). Initially I saw the same behaviour as you. According to the console, library loading was failing because the Team IDs of the plugin signature and the host signature were different. I added the com.apple.security.cs.disable-library-validation key to my entitlements and re-signed the AudioPluginHost, and then was able to validate plugins as expected.
You can find more information about the required entitlement here.
Good call! Thank you!
I was actually applying the following command line to the Unix executable in charge of the plugin scan: codesign --force --deep -s "Developer ID Application: ..." -v --timestamp Path/To/Executable --entitlements Entitlements.plist --options runtime,library
The --options runtime,library is not right because the library option forces the validation to be enabled despite the disable-library-validation entitlement. Btw this seems to be the only thing the library option does, so I don’t know why I enabled it.
