Godot 4.2.1.mono: "Game.dylib" can't be opened because Apple cannot check it for malicious software

[Ciel1996]

Tested versions

• Reproducible in 4.2.1.mono [b09f793], I haven't tried it on other projects and versions of Godot yet, but will if you ask me to

System information

Godot v4.2.1.stable.mono - macOS 14.4.1 - Vulkan (Forward+) - integrated Apple M1 - Apple M1 (8 Threads)

Issue description

Hi all

I've been struggling for a couple of days now to get my game working after I uploaded it to App Store Connect and downloading it via Test Flight.

The export to macOS App Store Connect works fine and as expected, however, after downloading and running the game via Test Flight, I get the following error (I can click either button, the game will not crash, until later):

I assume this is related to .NET 8 (with AOT, I tried without AOT before, but it was basically the same issue, I asked on the Discord, but I'm pretty sure I've either found a bug or did overlook something in the docs by now.)

From what little information I can gather is that "Art-Race.dylib" is created into a "Caches" Folder at "/Users/{user}/Library/Containers/{BundleIdentifier}/Data/Library/Caches" after I start the app. The .dylib is adhoc signed and I suspect that Apple can't check it for malicious software because of this:

Executable=/Users/{user}/Library/Containers/{BundleIdentifier}/Data/Library/Caches/data_Art-Race_macos_arm64/Art-Race.dylib
Identifier=Art-Race.dylib
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=138567 flags=0x20002(adhoc,linker-signed) hashes=4327+0 location=embedded
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements=none

The game launches fine after I dismiss the popup (it appears twice btw). But the moment I click a button which triggers .NET code to be run, the game crashes.

When running the game from terminal I get this on startup until I click the button that causes the crash:

.NET: Initializing module...
ERROR: Can't open dynamic library: /Users/{user}/Library/Containers/{BundleIdentifier}/Data/Library/Caches/data_Art-Race_macos_arm64/Art-Race.dylib.
 Error: dlopen(/Users/{user}/Library/Containers/{BundleIdentifier}/Data/Library/Caches/data_Art-Race_macos_arm64/Art-Race.dylib, 0x0002):
  tried: '/Users/{user}/Library/Containers/{BundleIdentifier}/Data/Library/Caches/data_Art-Race_macos_arm64/Art-Race.dylib' (code signature in <{UUIDv3}> 
  '/Users/{user}/Library/Containers/{BundleIdentifier}/Data/Library/Caches/data_Art-Race_macos_arm64/Art-Race.dylib' not valid for use in process: library load disallowed by system policy),
  '/System/Volumes/Preboot/Cryptexes/OS/Users/{user}/Library/Containers/{BundleIdentifier}/Data/Library/Caches/data_Art-Race_macos_arm64/Art-Race.dylib' (no such file), 
  '/Users/{user}/Library/Containers/{BundleIdentifier}/Data/Library/Caches/data_Art-Race_macos_arm64/Art-Race.dylib' (code signature in <{UUIDv3}> 
  '/Users/{user}/Library/Containers/{BundleIdentifier}/Data/Library/Caches/data_Art-Race_macos_arm64/Art-Race.dylib' not valid for use in process: library load disallowed by system policy).
   at: open_dynamic_library (platform/macos/os_macos.mm:234)
ERROR: .NET: Failed to load hostfxr
   at: initialize (modules/mono/mono_gd/gd_mono.cpp:399)
`

My .csproj:

<Project Sdk="Godot.NET.Sdk/4.2.1">
  <PropertyGroup>
    <TargetFramework>net8.0</TargetFramework>
    <TargetFramework Condition=" '$(GodotTargetPlatform)' == 'android' ">net7.0</TargetFramework>
    <TargetFramework Condition=" '$(GodotTargetPlatform)' == 'ios' ">net8.0</TargetFramework>
    <EnableDynamicLoading>true</EnableDynamicLoading>
    <RootNamespace>ArtRace</RootNamespace>
    <PublishAot>true</PublishAot>
  </PropertyGroup>

  <ItemGroup>
    <!-- Root the assemblies to avoid trimming. -->
    <TrimmerRootAssembly Include="GodotSharp" />
    <TrimmerRootAssembly Include="$(TargetName)" />
  </ItemGroup>
</Project>

Steps to reproduce

1. Export successfully for App Store Distribution (my game required both Network Server and Network Client entitlements in sandboxed mode)
2. Upload to App Store Connect via Transporter
3. Download the game using Test Flight
4. Start the game

Minimal reproduction project (MRP)

I will provide an MRP as soon as possible and required. Maybe somebody did already solve this problem. :)

[bruvzg]

Seems like .Net export is packing native libs to the PCK and extracting it in runtime, this is probably the reason lib is not signed correctly (but it should not be done in general, all libs should be inside bundle). I guess it was never detected before, since ad-hoc signed libs will work on the machine they were built.

godot/modules/mono/godotsharp_dirs.cpp

Lines 173 to 174 in 0c6b5ef

	// The dotnet publish data is packed in the pck/zip.
	String data_dir_root = OS::get_singleton()->get_cache_path().path_join("data_" + appname_safe + "_" + platform + "_" + arch);

[Ciel1996]

Interesting enough I'm having the issue on the same machine I'm building and shipping the game from. Sorry I didn't mention that.

[bruvzg]

This seems to be the issue only if embed build outputs is selected in the export options (disabled by default), so fixing should be as simple as removing this option for macOS.

[Ciel1996]

So it should work if I disable it now? I'll give it a try :)

[Ciel1996]

It does indeed not show an error message when starting the app.

However it still crashes when clicking the button.

Also when running via terminal (from *.app/Contents/MacOS using option --verbose), I still get this:

ERROR: Can't open dynamic library: /Applications/dmArtRace.app/Contents/Resources/data_Art-Race_macos_arm64/Art-Race.dylib. Error: dlopen(/Applications/dmArtRace.app/Contents/Resources/data_Art-Race_macos_arm64/Art-Race.dylib, 0x0002): tried: '/Applications/dmArtRace.app/Contents/Resources/data_Art-Race_macos_arm64/Art-Race.dylib' (code signature invalid in <{UUIDv3}> '/Applications/dmArtRace.app/Contents/Resources/data_Art-Race_macos_arm64/Art-Race.dylib' (errno=1) sliceOffset=0x00000000, codeBlobOffset=0x010E6C30, codeBlobSize=0x0003BA80), '/System/Volumes/Preboot/Cryptexes/OS/Applications/dmArtRace.app/Contents/Resources/data_Art-Race_macos_arm64/Art-Race.dylib' (no such file), '/Applications/dmArtRace.app/Contents/Resources/data_Art-Race_macos_arm64/Art-Race.dylib' (code signature invalid in <{UUIDv3}> '/Applications/dmArtRace.app/Contents/Resources/data_Art-Race_macos_arm64/Art-Race.dylib' (errno=1) sliceOffset=0x00000000, codeBlobOffset=0x010E6C30, codeBlobSize=0x0003BA80).
   at: open_dynamic_library (platform/macos/os_macos.mm:234)
ERROR: .NET: Failed to load hostfxr
   at: initialize (modules/mono/mono_gd/gd_mono.cpp:399)

Seems like now the .dylib is not included it all.

I've exported the game with these dotnet settings:

I'm going for another try without anything set here. :)

[bruvzg]

There might be another issue with code singing ignoring files not it Frameworks as well.

[Ciel1996]

Oddly enough the files are there:

[bruvzg]

There might be another issue with code singing ignoring files not it Frameworks as well.

No, signatures seems to be perfectly fine. I do not see any issues with disabled embedding. Might be something wrong specifically with .Net 8 AOT (I can't get it to run in any conditions, .Net 6 w/o AOT seems to be working fine), or it's App Store / Test Flight doing something with signatures.

[Ciel1996]

.NET 6 without AOT and with disabled embedding gives me this error when uploading to App Store Connect using Transporter:

[Ciel1996]

.NET 6 without AOT and with disabled embedding gives me this error when uploading to App Store Connect using Transporter:

I also tried .NET 8 without AOT and get the same issue. Seems like exporting for App Store Connect does only work with AOT enabled.