Xcode 11 / hardened runtime require signed libraries

[MarkCallow (Mark Callow)]

Xcode 11 recommends using the Hardened Runtime, which is required for "notarized" apps.

Without the Hardened Runtime apps could link with dylibs installed with MacPorts and, provided the user has those MacPorts packages installed, the app would run. With the HR all libraries must be signed. An app linked to a MacPort dylib will be aborted by dyld. There are 2 ways to make this work:

1. Have MacPorts sign all the dylibs it installs.
2. Copy the needed dylibs into the app bundle and sign the copy with the developer's certificate.

No. 2 is made very difficult because the "install names" of all the MacPorts libraries are absolute paths (/opt/local/lib/libfoo.dylib). These means you have to copy the library somewhere, change its install name with install_name_tool to @rpath/libfoo.dylib, link to that modified library then copy it into the app bundle. It would be much easier if the library install names all used @rpath/libfoo.dylib.

I do not have enough background with MacPorts to know which solution, signing the dylibs or using @rpath is more appropriate. I am opening this to make everyone aware of the issue. I'm also not sure whether to classify this as a defect or enhancement. I do not know how common it is for people to distribute apps that expect MacPorts ports to be in place.

[jmroot (Joshua Root)]

Unfortunately MacPorts does not have a Developer ID at this time. Even if it did, only prebuilt binaries could be signed with our ID. Anything built locally would need to use a certificate belonging to the user.

Note that the dylibbundler port can make option 2 easier.

[ryandesign (Ryan Carsten Schmidt)]

I don't think there's anything we can change in MacPorts in regard to this issue.