macosusbnotarize

Mac App Bundle cannot access USB devices when hardened for notarization


We have written a native application that accesses an USB card-terminal through some closed-source libraries. The application is written with C/C++ and cross-platform compatible (already working on Linux and Windows) and using Gtk3 as UI. Therefore we're not using XCode at all. Furthermore, we use LIBMICROHTTPD, GNUTLS, JSONCPP, and some other stuff and we linked also LIBASAN1. The application runs fine as app bundle and also fine when the executable is not signed hardened with --options=runtime. But for getting a successful notarization we have to sign the executable with --options=runtime and this breaks the application. It launches fine but hangs/loops during the actual USB access.

Providing you with a minimum viable example is hard with the closed-source libraries between us and the USB card-terminal. But I try to show you what we're doing:

    codesign -f -s "macosnewbie" carrier.app/Contents/MacOS/* --timestamp --options=runtime
    codesign -f -s "macosnewbie" carrier.app/Contents/libs/lib* --timestamp
    codesign -f -s "macosnewbie" carrier.app/Contents/libs/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-* --timestamp
    codesign -f -s "macosnewbie" carrier.app/Contents/Resources/* --timestamp
    codesign -f -s "macosnewbie" --options=runtime --entitlements entitlements.plist carrier.app --deep

The first codesign is crucial for the notarization but breaks the application. When signed without --options=runtime it works fine. We also zip the app bundle notarize and staple it.

    xcrun altool --notarize-app --primary-bundle-id "19" -f carrier.zip -u "me@ourcompancy.de"
    xcrun stapler staple carrier.app

Info.plist

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>CFBundleGetInfoString</key>
    <string>Carrier Card Terminal</string>
    <key>CFBundleExecutable</key>
    <string>carrier</string>
    <key>CFBundleIdentifier</key>
    <string>de.ourcompany.www</string>
    <key>CFBundleName</key>
    <string>Carrier</string>
    <key>CFBundleIconFile</key>
    <string>carrier.icns</string>
    <key>CFBundleShortVersionString</key>
    <string>0.01</string>
    <key>CFBundleInfoDictionaryVersion</key>
    <string>6.0</string>
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>IFMajorVersion</key>
    <integer>0</integer>
    <key>IFMinorVersion</key>
    <integer>1</integer>
    </dict>
    </plist>

entitlements.plist

     <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
        <plist version="1.0">
        <dict>
        <key>com.apple.security.device.usb</key> <!-- usb access -->
        <true/>
        <key>com.apple.security.network.server</key> <!-- internal webserver --> 
        <true/>
        <key>com.apple.security.network.client</key> <!-- internal webserver -->
        <true/>
         </dict>
    </plist>

What I'm missing and doing wrong?

Below I've added the complete directory structure of the app bundle to give you an overview. If necessary I can also provide you the actual executable app bundle, but it is useless without an attached, compatible hardware terminal.
Thank you

1 We have some sort of undefined behavior on MacOS (or with CLANG?) and linking with LIBASAN has proven as a workaround.

carrier.app
└── Contents
├── Info.plist
├── MacOS
│   └── carrier
├── Resources
│   ├── carrier.icns
│   ├── server.key
│   └── server.pem
├── _CodeSignature
│   └── CodeResources
└── libs
├── gdk-pixbuf-2.0
│   └── 2.10.0
│   └── loaders # loaders.cache is missing here...
│   ├── libpixbufloader-ani.so
│   ├── libpixbufloader-bmp.so
│   ├── libpixbufloader-gif.so
│   ├── libpixbufloader-icns.so
│   ├── libpixbufloader-ico.so
│   ├── libpixbufloader-jpeg.so
│   ├── libpixbufloader-png.so
│   ├── libpixbufloader-pnm.so
│   ├── libpixbufloader-qtif.so
│   ├── libpixbufloader-tga.so
│   ├── libpixbufloader-tiff.so
│   ├── libpixbufloader-xbm.so
│   └── libpixbufloader-xpm.so
├── libBrpDriver.dylib
├── libalwa_driver.dylib
├── libatk-1.0.0.dylib
├── libatkmm-1.6.1.dylib
├── libbrp_lib.dylib
├── libcairo-gobject.2.dylib
├── libcairo.2.dylib
├── libcairomm-1.0.1.dylib
├── libclang_rt.asan_osx_dynamic.dylib
├── libepoxy.0.dylib
├── libffi.6.dylib
├── libfontconfig.1.dylib
├── libfreetype.6.dylib
├── libfribidi.0.dylib
├── libgdk-3.0.dylib
├── libgdk_pixbuf-2.0.0.dylib
├── libgdkmm-3.0.1.dylib
├── libgio-2.0.0.dylib
├── libgiomm-2.4.1.dylib
├── libglib-2.0.0.dylib
├── libglibmm-2.4.1.dylib
├── libgmodule-2.0.0.dylib
├── libgmp.10.dylib
├── libgnutls.30.dylib
├── libgobject-2.0.0.dylib
├── libgraphite2.3.2.1.dylib
├── libgtk-3.0.dylib
├── libgtkmm-3.0.1.dylib
├── libharfbuzz.0.dylib
├── libhogweed.4.5.dylib
├── libidn2.0.dylib
├── libintl.8.dylib
├── libjsoncpp.21.dylib
├── libmicrohttpd.12.dylib
├── libnettle.6.5.dylib
├── libp11-kit.0.dylib
├── libpango-1.0.0.dylib
├── libpangocairo-1.0.0.dylib
├── libpangoft2-1.0.0.dylib
├── libpangomm-1.4.1.dylib
├── libpcre.1.dylib
├── libpixman-1.0.dylib
├── libpng16.16.dylib
├── libpsl.5.dylib
├── libsigc-2.0.0.dylib
├── libsoup-2.4.1.dylib
├── libsqlite3.0.dylib
├── libtasn1.6.dylib
└── libunistring.2.dylib

8 directories, 68 files

Solution

  • We were able to get ours to work by adding the following entitlement.

    <dict>
      <key>com.apple.security.cs.allow-dyld-environment-variables</key>
      <true/>
    </dict>