Uploaded image for project: 'SonarCFamily'
  1. SonarCFamily
  2. CPP-1640

build-wrapper OS X: add support for binaries signed with "library-validation" (introduced in El Capitan as part of SIP)


    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: build-wrapper
    • Labels:
    • Environment:
      macOS >= 10.11


      Even if SIP is completely disabled as

      csrutil disable

      and even after resolution of CPP-1298
      binary files signed with "library-validation" would ignore our interceptor with a following warning:

      dyld: warning: could not load inserted library '/private/tmp/cpp/build-wrapper-macosx-x86/libinterceptor.dylib' into library validated process because no suitable image found.

      This warning can be safely ignored if such binaries are not compilers and do not change environment variables (set by build-wrapper) for child processes - in this case it has no effect on results of build-wrapper.

      Note that XCode 8 "xcodebuild" is signed with "library-validation", but does not change environment variables:

      $ /Applications/Xcode.app//Contents/Developer/usr/bin/xcodebuild -version
      Xcode 8.0
      Build version 8A218a
      $ codesign -dv /Applications/Xcode.app//Contents/Developer/usr/bin/xcodebuild 2>&1 | grep "library-validation"
      CodeDirectory v=20200 size=207 flags=0x2000(library-validation) hashes=4+2 location=embedded

      XCode 8 "clang" has no "library-validation":

      $ /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang --version
      Apple LLVM version 8.0.0 (clang-800.0.38)
      Target: x86_64-apple-darwin15.6.0
      Thread model: posix
      InstalledDir: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
      $ codesign -dv /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang 2>&1 | grep "library-validation"

      Binaries that usually used to change environment variables do not have "library-validation":

      $ sw_vers
      ProductName:	Mac OS X
      ProductVersion:	10.11.6
      BuildVersion:	15G1004
      $ codesign -dv /bin/sh 2>&1 | grep "library-validation"

      So for the time being there are no evidences that this warning affects results of build-wrapper, and hence can be safely ignored.


          Issue Links



              • Assignee:
                evgeny.mandrikov Evgeny Mandrikov
                evgeny.mandrikov Evgeny Mandrikov
              • Votes:
                1 Vote for this issue
                4 Start watching this issue


                • Created: