OpenSSL 1.1 on OSX

Grahame Grieve grahame at healthintersections.com.au
Sat Nov 20 02:36:15 UTC 2021


>
>
> The problem is that symlinking doesn't work in this case. Sure, I can
> install openSSL, and then it works. For me. But I'm trying to distribute an
> application, and to do that on modern macs, I need a hardened run time. And
> the rule for that is that all code your application uses must be signed
> either by you or by apple.
>
>
>
> It is trivial to install OpenSSL-1.1.1 via Macports, and build/link an app
> with hardened run time against it.
>

well, I'm sure it's due to my own deficiencies, but I'm not finding it all
trivial to produce an app with a hardened run time that works with openssl.


> XCode offers an option to embed and sign the libraries you’re linking
> against.
>

unfortunately, I'm not using XCode, since I'm writing a cross-platform app.
That's ok - I figured out how to embed and sign the libraries myself.
Only... that wasn't enough in this specific case,  because of a specific
OSX rule for openSSL.


> Another option is to state in the docs that this app depends on user
> installing Macports port “openssl11”.
>

Only, this is not an option. At least not experimentally, nor based on this:

" Hardened Runtime only allows executables to load code that has been
code-signed by the same team, or by Apple"

(https://developer.apple.com/forums/thread/112825 - not explicit apple
documentation, but matches my testing)

Grahame


>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211120/0806ebb9/attachment.html>


More information about the openssl-users mailing list