search

open-eid / osx-installer

macOS installer
GNU Lesser General Public License v2.1
26 stars 8 forks source link

Included OpenSC tool (pkcs11-tool) is not usable #36

Closed martinpaljak closed 5 years ago

martinpaljak commented 5 years ago

I can't change the installation, as it would break ID-card support.

$ codesign -dv --verbose=4  /Library/OpenSC/bin/pkcs11-tool
Executable=/Library/OpenSC/bin/pkcs11-tool
Identifier=pkcs11-tool
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=15383 flags=0x10000(runtime) hashes=475+2 location=embedded
VersionPlatform=1
VersionMin=658176
VersionSDK=658944
Hash type=sha256 size=32
CandidateCDHash sha1=f03317844239f6379b57790d3197cd52840071e8
CandidateCDHash sha256=441e05ea6452b98b10e39300c00be1b3cb48f07e
Hash choices=sha1,sha256
Page size=4096
CDHash=441e05ea6452b98b10e39300c00be1b3cb48f07e
Signature size=9029
Authority=Developer ID Application: Riigi Infosüsteemi Amet (ET847QJV9F)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=21 Jun 2019 at 12:51:04
Info.plist=not bound
TeamIdentifier=ET847QJV9F
Runtime Version=10.14.0
Sealed Resources=none
Internal requirements count=1 size=172

Using the tool with PKCS#11 modules not signed by "Developer ID Application: Riigi Infosüsteemi Amet (ET847QJV9F)" results in error:

$ pkcs11-tool --module /Library/CardPipes/librpkcs11.dylib  -I
sc_dlopen failed: dlopen(/Library/CardPipes/librpkcs11.dylib, 1): no suitable image found.  Did find:
    /Library/CardPipes/librpkcs11.dylib: code signature in (/Library/CardPipes/librpkcs11.dylib) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs
error: Failed to load pkcs11 module
Aborting.

And the default pkcs11-tool is the one installed by this installer.

$ which pkcs11-tool
/usr/local/bin/pkcs11-tool
$ ls -l /usr/local/bin/pkcs11-tool 
lrwxr-xr-x  1 root  admin  31 18 Sep 09:38 /usr/local/bin/pkcs11-tool -> /Library/OpenSC/bin/pkcs11-tool

There is simple workaround: use a different pkcs11-tool build or re-sign the tool or module (if you are a developer) but the proper solution is to distribute 3rd party tools in a way that doesn't cripple them. The fix is signing tools that load 3rd party modules (like pkcs11-tool loading PKCS#11 modules) with:

https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation

kristelmerilain commented 5 years ago

Fixed in 19.10 release.