Recent

Author Topic: Hardening/Notarize question about entitlements (Indy and OpenSSL/LibreSSL)  (Read 1329 times)

MISV

  • Hero Member
  • *****
  • Posts: 772
From my research I am unsure if my Lazarus app need any entitlements file for hardening/notarization when signing...

Except I do I think I may need these
  Key: com.apple.security.cs.allow-dyld-environment-variables
  Key: com.apple.security.cs.disable-library-validation

That is because I use Indy which loads OpenSSL/LibreSSL

I guess if just loading the ones provided by system... They should be signed/notarized by Apple, but I am unsure.
But I also allow people to manually point my software to use OpenSSL libs compiled/downloaded by themselves.

Some links i have found
  - https://stackoverflow.com/questions/55660597/why-does-a-free-pascal-dylib-need-dyld-environment-variables
  - https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/
  - https://github.com/rstudio/rstudio/issues/4597

Any experience with the above?

Hansaplast

  • Hero Member
  • *****
  • Posts: 674
  • Tweaking4All.com
    • Tweaking4All
Re: Hardening/Notarize question about entitlements (Indy and OpenSSL/LibreSSL)
« Reply #1 on: December 04, 2019, 11:13:20 am »

As far as I remember, using OpenSSL/LibreSSL (that came with Mojave - not sure if Catalina updated them) seems no longer an option under macOS.
It produces an error:


Code: Pascal  [Select][+][-]
  1. Invalid dylib load. Clients should not load the unversioned libcrypto dylib as it does not have a stable ABI.


See my post in this thread.

MISV

  • Hero Member
  • *****
  • Posts: 772
Re: Hardening/Notarize question about entitlements (Indy and OpenSSL/LibreSSL)
« Reply #2 on: December 05, 2019, 09:53:37 pm »
It seems Remy posted a workaround here:
https://community.idera.com/developer-tools/platforms/f/macos-platform/70310/issue-with-using-indy-on-catalina

(A recent version of Indy seems to include a function call that configured Indy to load specific version first)

I have not tried the Indy fix though. I will need to update Indy first

MISV

  • Hero Member
  • *****
  • Posts: 772
Re: Hardening/Notarize question about entitlements (Indy and OpenSSL/LibreSSL)
« Reply #3 on: December 06, 2019, 11:45:11 am »
However, to generalize my question

If I allow a user to download any dylib (e.g. OpenSSL) and load that will I need both these:

Code: Pascal  [Select][+][-]
  1.   com.apple.security.cs.allow-dyld-environment-variables
  2.   com.apple.security.cs.disable-library-validation
  3.  
Or just

Code: Pascal  [Select][+][-]
  1.   com.apple.security.cs.disable-library-validation

 

TinyPortal © 2005-2018