Closed jeromelaban closed 1 year ago
I don't have a simple repro project, but a larger project, if that's useful.
Yes, please, anything we can use the reproduce this would be useful.
Here's the project csproj I'm using to get there, for catalyst specifically: https://github.com/unoplatform/calculator/blob/canaries/dev/src/Calculator.Mobile/Calculator.Mobile.csproj#L110-L144
my quick guess...
Publish a Catalyst app to TestFlight
It's a released (TestFlight) app and Catalyst requires the use of (full) AOT and static builds (unless a user .framework
is used).
Library not loaded: @executable_path/../MonoBundle/libSystem.IO.Compression.Native.dylib
In such case you should not have a .dylib
being referenced from the main native executable.
So having a security policy
error make sense - even if the exact error message is not very helpful to diagnose the issue.
Thanks @spouliot! I searched for some AOT options for catalyst, and assuming that it's closer to Xamarin.Mac, would AOTMode=All
be enough? (I'm currently trying it out, I'll report if it helps).
@jeromelaban I have not closely followed lately but it should be closer to the iOS settings/options since it shares the same restrictions (like requiring full AOT).
@rolfbjarne So from what I can see, the only configuration which enforces AOT is arm64, and in my case, it's an x64 build.
Are there options to build with AOT for both x64 and arm64?
I've tried forcing _RunAotCompiler
to true, but it's not helping and I'm getting the same runtime error. I'm using the maccatalyst-x64
RID.
I'm having some trouble reproducing the issue, but could you attach the .ipa you uploaded to Test Flight?
It would also be nice to have the exact commands to build the Mac Catalyst project from a clean checkout.
I also believe these properties might be able to work around the problem, can you try this and see if it works?
<_LibMonoLinkMode>Static</_LibMonoLinkMode>
<_LibXamarinLinkMode>Static</_LibXamarinLinkMode>
Thanks! I've tried again, and it does not seem to help (the AOT compiler is not being run). Here's a full binlog of what I'm trying to build: 14686-20220422-build.zip
Thanks! I've tried again, and it does not seem to help (the AOT compiler is not being run). Here's a full binlog of what I'm trying to build: 14686-20220422-build.zip
Those two properties won't run the AOT compiler, instead they will make the build use static (.a) libraries instead of dynamic (.dylib) libraries, so this won't happen:
Library not loaded: @executable_path/../MonoBundle/libSystem.IO.Compression.Native.dylib
because the dylib won't be there (and the main executable won't have a reference to it).
If the app still fails with these properties, please attach a new crash report.
Ah! Got it, thanks. I'll let the app through testflight and will let you know.
I am working on a MAUI .NET app and on MacCatalyst I have the same issue found here. I am guessing MAUI uses this under the hood for maccatalyst support.
The thing that started causing this was when I added an Entitlements.plist file to make it work with MSAL.
The file contains this:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)$(CFBundleIdentifier)</string>
</array>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
</dict>
</plist>
The property group doing the signing:
<PropertyGroup Condition="$(TargetFramework.Contains('-mac')) and '$(Configuration)' == 'Release'">
<!-- <RuntimeIdentifier>ios-arm64</RuntimeIdentifier> -->
<!-- Only needed when you have a need for entitlements -->
<ProvisionType>Manual</ProvisionType>
<EnableAssemblyILStripping>false</EnableAssemblyILStripping>
<CodesignEntitlement>Entitlements.plist</CodesignEntitlement>
<CodesignKey>Apple Development: Your name</CodesignKey>
<CodesignProvision>Your provision</CodesignProvision>
</PropertyGroup>
Using static linking got it to build and run. Thanks!
The workaround did the trick for me as well, noting that forcing _RunAotCompiler
to true
has the effect of enabling IL stripping, causing all sorts of invalid IL execution errors.
I can now run a Catalyst app from TestFlight, thanks!
I've finally been able to reproduce the crash locally (no need to go through TestFlight).
Requirements for the crash:
Entitlements.plist
file (which may be empty).To be explicit, this crashes:
This does not crash:
Simplified test project: keychain_experiment-0b6e8a1.zip
To repro:
dotnet build *.csproj
dotnet run
Unfortunately I'm not quite sure what to do here.
I couldn't find any documentation from Apple (nor anywhere else) about the differences between the two types of provisioning profiles ("Mac" or "Mac Catalyst").
All in all Mac Catalyst apps are also Mac apps, so I would think that using the Mac provisioning profile should work just fine 🤷♂️.
The workaround might be the actual fix:
<_LibMonoLinkMode>Static</_LibMonoLinkMode>
<_LibXamarinLinkMode>Static</_LibXamarinLinkMode>
and we might decide to make this the default if this turns out to be a bigger problem (the downside of the workaround is that it might slow build times down a little bit).
For now I think we can just wait and see how important this is, and then maybe re-evaluate at a later point (say .NET 7).
This failed for me when I used a Mac provisioning profile:
@emorell96 they both show up as "macOS" there:
If you click on it, you'll see either "Mac" or "Mac Catalyst" for the "Configuration" field; that's the value I'm referring to.
@rolfbjarne yes I see that. How do you change it to macOS?
@emorell96 you have to create a new one, you can't change it.
I was running into this for publishing a .NET MAUI Mac Catalyst app. I can confirm that adding the below to your csproj works!
<_LibMonoLinkMode>Static</_LibMonoLinkMode>
<_LibXamarinLinkMode>Static</_LibXamarinLinkMode>
@rolfbjarne
I'm having trouble with this setup:
Termination Reason: DYLD namespace, missing code library 1
Library not loaded: '@executable_path/../MonoBundle/libempty-pkcs11-catalyst.dylib'
Referenced from: '/Users/USER/Desktop/"
Reason: tried: '' (no such file), (security policy does not allow @path expansion)
<NativeReference Include="Libs/libempty-pkcs11-catalyst.dylib">
<Kind>Dynamic</Kind>
<SmartLink>False</SmartLink>
</NativeReference>
@angelru have you tried changing your provisioning profile as described here: https://github.com/xamarin/xamarin-macios/issues/14686#issuecomment-1109808007?
@rolfbjarne
By adding:
<_LibMonoLinkMode>Static</_LibMonoLinkMode>
<_LibXamarinLinkMode>Static</_LibXamarinLinkMode>
I don't get this error when running the application:
Termination Reason: DYLD namespace, missing code library 1
Library not loaded: '@executable_path/../MonoBundle/libempty-pkcs11-catalyst.dylib'
Referenced from: '/Users/USER/Desktop/"
Reason: tried: '' (no such file), (security policy does not allow @path expansion)
<NativeReference Include="Libs/libempty-pkcs11-catalyst.dylib">
<Kind>Dynamic</Kind>
<SmartLink>False</SmartLink>
</NativeReference>
I have:
Developer ID
Create a Developer ID provisioning profile to use Apple services with your Developer ID signed applications
@angelru from that link it looks like you were able to figure things out?
@rolfbjarne
Yes, with this configuration I got it, but I don't know why this isn't in the documentation or in the visual studio mac options.
PropertyGroup Condition="'$(TargetFramework)' == 'net6.0-maccatalyst' and '$(Configuration)' == 'Release'">
<!-- for Mac Catalyst -->
<RuntimeIdentifiers>maccatalyst-x64;maccatalyst-arm64</RuntimeIdentifiers>
<ProvisionType>Manual</ProvisionType>
<EnableAssemblyILStripping>false</EnableAssemblyILStripping>
<CodesignEntitlement>Entitlements.plist</CodesignEntitlement>
<CodesignKey>CERTIFICATE</CodesignKey>
<CodesignProvision>PROFILE</CodesignProvision>
<UseHardenedRuntime>true</UseHardenedRuntime>
</PropertyGroup>
and:
`xcrun altool --notarize-app --primary-bundle-id "idapp" --username "appleid" --password "ovoz-yksu-wrwb-pgex" --file app.zip`
@jfversluis So where in the .csproj are this lines supposed to be added?
<_LibMonoLinkMode>Static</_LibMonoLinkMode>
<_LibXamarinLinkMode>Static</_LibXamarinLinkMode>
I tried adding them here but am getting the same error when running from TestFlight:
<PropertyGroup Condition="$(TargetFramework.Contains('-maccatalyst')) and '$(Configuration)' == 'Release'">
<MtouchLink>SdkOnly</MtouchLink>
<_LibMonoLinkMode>Static</_LibMonoLinkMode>
<_LibXamarinLinkMode>Static</_LibXamarinLinkMode>
I had the same issue, and indeed, the workaround worked for me.
@cdavidyoung here's is the project properties I have that might help you
<PropertyGroup Condition="'$(Configuration)|$(TargetFramework)|$(Platform)'=='Release|net7.0-maccatalyst|AnyCPU'">
<MtouchLink>SdkOnly</MtouchLink>
<EnableCodeSigning>True</EnableCodeSigning>
<EnablePackageSigning>true</EnablePackageSigning>
<CreatePackage>true</CreatePackage>
<CodesignEntitlements>Platforms\MacCatalyst\Entitlements.plist</CodesignEntitlements>
<!--https://github.com/xamarin/xamarin-macios/issues/14686-->
<_LibMonoLinkMode>Static</_LibMonoLinkMode>
<_LibXamarinLinkMode>Static</_LibXamarinLinkMode>
</PropertyGroup>
@kyurkchyan I have a few differences and am still unable to publish the MacCatalyst app:
<CreatePackage></CreatePackage>
<CodesignKey>Apple Distribution: Charles Young (83Q3M48Y8B)</CodesignKey>
<CodesignProvision>CacheAll MacCatalyst</CodesignProvision>
<PackageSigningKey>3rd Party Mac Developer Installer: Charles Young (...)</PackageSigningKey>
<UseInterpreter>true</UseInterpreter>
UseInterpreter turns out to be important: https://github.com/dotnet/maui/issues/13019
@kyurkchyan By chance do you also publish an iOS app?
@cdavidyoung I am just setting up a project, so it's just an empty MAUI app and I might not be facing the same issue as you are. Perhaps, you could post your full .csproj and I would try to compare it to mine to see any obvious differences?
@kyurkchyan if you are just getting started you probably won't run into the same issues until you actually try and publish an iOS or MacCatalyst app to the App Store. It is a convoluted process thanks to Apple (publishing to Samsung Galaxy and Microsoft Store is a breeze by comparison) and the Maui documentation is just not clear for me, especially because I am trying to publish both an iOS and MacCatalyst version of the same app: https://github.com/dotnet/docs-maui/issues/1403.
I have published the iOS app (CacheAll) but the MacCatalyst version has not been successful so far. I don't really want to put out my whole .csproj file until I am sure it is correct! I already pointed out some differences in the MacCatalyst release configuration: https://github.com/xamarin/xamarin-macios/issues/14686#issuecomment-1531414556
@cdavidyoung Got it man. I totally am with you with this... I know how an eye from a side might save the day :) BTW, whenever you find the issue, do not forget to post it here!
Requiring a different provisioning profile from developers is not ideal :(
Doing
$ file /Applications/Uno.Gallery.Mobile.app/Contents/MacOS/Uno.Gallery.Mobile`
/Applications/Uno.Gallery.Mobile.app/Contents/MacOS/Uno.Gallery.Mobile: Mach-O 64-bit executable x86_64
shows the application was build for x86_64.
Next doing
$ otool -l /Applications/Uno.Gallery.Mobile.app/Contents/MacOS/Uno.Gallery.Mobile
we see the following
...
Load command 14
cmd LC_LOAD_DYLIB
cmdsize 80
name @rpath/libSkiaSharp.framework/Versions/A/libSkiaSharp (offset 24)
...
Load command 44
cmd LC_RPATH
cmdsize 48
path @executable_path/../Frameworks/ (offset 12)
...
And, as expected, the .dylib
is present at the computed location.
ls -l /Applications/Uno.Gallery.Mobile.app/Contents/MacOS/../Frameworks/libSkiaSharp.framework/Versions/A/libSkiaSharp
-rwxr-xr-x 1 root wheel 6699488 17 Jun 00:47 /Applications/Uno.Gallery.Mobile.app/Contents/MacOS/../Frameworks/libSkiaSharp.framework/Versions/A/libSkiaSharp
and it match the application x86_64
architecture.
file /Applications/Uno.Gallery.Mobile.app/Contents/MacOS/../Frameworks/libSkiaSharp.framework/Versions/A/libSkiaSharp
/Applications/Uno.Gallery.Mobile.app/Contents/MacOS/../Frameworks/libSkiaSharp.framework/Versions/A/libSkiaSharp: Mach-O 64-bit dynamically linked shared library x86_64
security policy does not allow @ path expansion
points to security, like app-sandbox and hardened runtime.
Signed entitlements includes
{
"beta-reports-active" = 1;
"com.apple.application-identifier" = "PD74CHS9Z5.com.nventive.uno.gallery-canary";
"com.apple.developer.team-identifier" = PD74CHS9Z5;
"com.apple.security.app-sandbox" = 1;
"com.apple.security.network.client" = 1;
"get-task-allow" = 0;
}
security-hardening feature prevents a program from loading frameworks, plug-ins, or libraries unless they’re either signed by Apple or signed with the same Team ID as the main executable.
Looking at the .app I see different signers:
@rolfbjarne is not the CodeSign tasks resigning the frameworks ? (since it can remove extra architectures from the binaries)
note: OTOH I have no clue why a different provisioning profile would work...
I can't duplicate a build with different signatures, so it might be that the Mac App Store is resigning the app (the name suggests it) and not the included framework.
Still it does not make much sense (that macOS does not accept such different signature) but I could not find other cases (at least not with any useful info) for something that sounds like something common.
As for the provisioning profiles this gems comes from Quinn “The Eskimo!”
The whole maccatalyst prefix thing is an unfortunate misstep from the very early days of Mac Catalyst; I recommend that you avoid it when creating new projects.
Steps to Reproduce
Expected Behavior
Application starts up properly
Actual Behavior
Environment
15.2.303-rc.1.55
macos-11
Build Logs
I can provide a binlog on request.
Example Project (If Possible)
I don't have a simple repro project, but a larger project, if that's useful.