Code signing issue with third party lib
In my application, I have a relatively long chain of libs that call each other, and since Yosemite some of its functionality is broken due to code spoofing issues. It all worked great for Maverics.
My cocoa application uses Java to run a separate piece of code that is required to access the java library (hbci4java.jar). This library then uses jni to call the dylib wrapper that I provide to access the system's PCSC.framework (smart card).
Since Yosemite doesn't work anymore, maybe because of this:
10/28/14 15: 29: 17 096 com.apple.ctkpcscd [40978]: abandoning the PCSC.framework sandbox without the com.apple.security.smartcard privilege
So far so easy. I added this smartcard entitlement to app entitlements as well as the ones I have for java (there is a separate java.entitlements file) - to no avail.
I am now stuck, not knowing how to proceed. The right to use smartcards is not mentioned anywhere, so I don't know what to actually install (I used bool and YES) or where it should be installed.
Can I add the right to a third party library? I would like to try adding it to the dylib wrapper (which is signed by me) to see if it can properly access the PCSC.framework?
source to share
As it turns out, this is a very special problem using the dylib smartcard. Apple decided not to allow access to it outside of the signed application (which is a nuisance during development, we only sign the application during the deployment phase). Signing the java binaries (jar + dylib) didn't make any difference, but no permissions + signing at all for the Java files we got next (no issue signing subcomponents).
Another issue that comes into play here is that it looks like the inheritance of the smart card right is not working (which makes it ineffective for sandboxed applications). However, with a simple clean cocoa application, smart card access works, so we need a different solution (perhaps moving the access layer for the smart card into the application and communicating with the Java part via callbacks).
source to share
I think this link is the source you should read if you are looking at code spoofing issues. There is one advertisement for third party libraries:
Apple uses the industry-standard form and format of code signing certificates. Therefore, if your company already has a third-party signing identity that you use to sign code on other systems, you can use it with the OS X codesign command. Similarly, if your company is a certificate issuing authority, contact your IT department to find out how to get a signing certificate issued by your company.
And here is an explanation of the rights and signatures under the "under the hood". I found it very informative and thought it might benefit you.
http://www.raywenderlich.com/2915/ios-code-signing-under-the-hood
If this information does not answer your question exactly, I hope it at least gets you on the right track. Hooray!
source to share