macOS - library validation: library load disallowed by system policy

[stesap]

I followed the installation steps, did copy the nwrfcsdk to the standard path /usr/local/sap/nwrfcsdk and executed successfully the paths_fix.sh script.

Error

When I require node-rfc lib, a popup is shown with the following error message: “libsapnwrfc.dylib” is damaged and can’t be opened. You should move it to the Bin.

Console output

Error: dlopen(/Users/<user>/projects/rfc-node-test/node_modules/node-rfc/lib/binding/sapnwrfc.node,

1): Library not loaded: @rpath/libsapnwrfc.dylib
Referenced from: /Users/<user>/projects/rfc-node-test/node_modules/node-rfc/lib/binding/sapnwrfc.node

Reason: no suitable image found.  Did find:
/usr/local/sap/nwrfcsdk/lib/libsapnwrfc.dylib: code signature in (/usr/local/sap/nwrfcsdk/lib/libsapnwrfc.dylib) not valid for use in process using Library Validation: library load disallowed by system policy

[bsrdjan]

The click on "?" in a pop-up, shows a new pop-up:

SAP lib file is "corrupted" by fix script, changing @loader_path to @rpath, using Apple install_name_tool. After running the script, the lib signature is not valid any more:

$ codesign --verify libsapnwrfc.dylib
libsapnwrfc.dylib: invalid signature (code or signature have been modified)
In architecture: x86_64

It seems Apple security policy changed again, preventing the changed lib to be loaded. Which macOS version are you using?

I am on 10.15.4 but installed and "fixed" SAP 7.56 libs with older Darwin version. These libs still work for me but if I download and fix the same lib from SAP portal, I am getting the same error.

The funny thing is that downloaded and fixed libs, which do not work, are binary identical to currently working libs, showing the same invalid signature (only downloaded and fixed before).

As a workaround you can:

1. Replace modified nwrfcsdk libs, with SAP original libs, in /usr/local/nwrfcsdk folder

2. Fix sapnwrfc.node @rpaths to @loader_paths:

$ cd lib\binding
$ install_name_tool -change @rpath/libsapnwrfc.dylib @loader_path/libsapnwrfc.dylib sapnwrfc.node
$ install_name_tool -change @rpath/libsapucum.dylib @loader_path/libsapucum.dylib sapnwrfc.node 

To verify:

$ otool -L sapnwrfc.node                                                                                 (py380) master ✱
sapnwrfc.node:
        @rpath/sapnwrfc.node (compatibility version 0.0.0, current version 0.0.0)
        @loader_path/libsapnwrfc.dylib (compatibility version 0.0.0, current version 0.0.0)
        @loader_path/libsapucum.dylib (compatibility version 0.0.0, current version 0.0.0)
        /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 902.1.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1281.100.1)

3. Add $SAPNWRFC_HOME/lib to DYLD_FALLBACK_LIBRARY_PATH

$ export DYLD_FALLBACK_LIBRARY_PATH=$SAPNWRFC_HOME/lib

[bsrdjan]

The loader_path is apparently fixed in SAP NWRFC SDK and post-install script not required any more. The README is updated with simplified installation method: https://github.com/SAP/node-rfc#macos.

[bsrdjan]

More testing shows that DYLD env vars are purged in spawned child processes. The standard installation method in README works therefore for single processes only, which is practically unusable with NodeJS. Possible solutions are investigated together with NWRFC SDK experts.

[nitinsaroha]

I am facing the same problem. I am on macOS 10.15.5

[bsrdjan]

Please use NWRFC SDK PL5 if you have it.

[prakashpalanichennai]

If anyone getting the following issue in Mac, then please try the below option.

Error Reason: no suitable image found. Did find: /usr/local/sap/nwrfcsdk/lib/libsapnwrfc.dylib: code signature in (/usr/local/sap/nwrfcsdk/lib/libsapnwrfc.dylib) not valid for use in process using Library Validation: library load disallowed by system policy

Terminal sudo spctl --master-disable

This should enable the app from the undentified developers, please be aware that this relaxes the security & privacy settings of your Mac, so enable it with caution.

[yaoyuande]

Can you please give me the NWRFC SDK PL5 for mac os x,my Email Address is 754716208@qq.com. Thanks