|
 Loading PHP extension on MacOS Catalina - code signing? |
| Posted by Steven on Feb-14-2020 02:04 |
|
Hello,
I can load the extension fine on Linux by editing php.ini but it's proving more challenging on MacOS Catalina (10.15.3). I received an error saying the extension is not code signed. I ad-hoc code signed it to see what happens and now receive this error.
Notice the "code signing blocked mmap()" message.
Warning: PHP Startup: Unable to load dynamic library '/path/to/phpchartdir730.dll' (tried: /path/to/phpchartdir730.dll (dlopen(/path/to/phpchartdir730.dll, 9): no suitable image found. Did find: /path/to/phpchartdir730.dll: code signing blocked mmap() of '/path/to/phpchartdir730.dll')
What's necessary for running PHP ChartDirector on MacOS Catalina? I'm using ChartDirector 6.0 and PHP 7.3.5.
Thank you. |
| Re: Loading PHP extension on MacOS Catalina - code signing? |
| Posted by Peter Kwan on Feb-14-2020 14:31 |
|
Hi Steven,
Are you using the Apache/PHP that comes with Catalina, or are you using third party Apache/PHP?
In recent versions of macOS, the Apache/PHP that comes with macOS is classified as. "platform binaries" for Apple. As "platform binaries", they can only load shared objects signed by Apple. That means it is impossible for the PHP included in Catalina to use any PHP extensions, except those that are released by Apple.
If you need to use any non-Apple PHP extensions, you must use a third party Apache/PHP (such as XAMPP), not the one that comes with macOS.
Note that if you download the shared objects from Internet, macOS may mark the shared objects as untrusted and not allowing it to be executed (even if it is loaded using the third party Apache/PHP). There are several methods to solve the problem. The suggested method is:
(a) Open a terminal shell, change to the directory that contains the downloaded tar.gz file, and do the following before extract the file out:
xattr -c chartdir_php_mac.tar.gz
(b) If you have already extracted the files out, you can change to the directory that contains the shared objects, and do:
xattr -c *.*
The "xattr -c" clears the untrusted mark, allowing the shared objects to be executed.
(Normally, the above can be avoided with an installer, but ChartDirector is not an end-user program and has no installer, so it has to be done manually.)
Regards
Peter Kwan |
| Re: Loading PHP extension on MacOS Catalina - code signing? |
| Posted by Steven on Feb-14-2020 21:55 |
|
Hi Peter,
Thank you. I tried this but still have the same errors referencing code signing. I am using third-party nginx/PHP with the Local 5 app by Flywheel: https://localwp.com
xattr -c chartdir_php_mac.tar.gz
I see this error:
Warning: PHP Startup: Unable to load dynamic library 'path/to/phpchartdir730.dll' (tried: path/to/phpchartdir730.dll (dlopen(path/to/phpchartdir730.dll, 9): no suitable image found. Did find: path/to/phpchartdir730.dll: code signature in (path/to/phpchartdir730.dll) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.), /Users/runner/runners/2.159.2/work/_temp/local-lightning-php/php-7.3.5/build/lib/php/extensions/no-debug-non-z in Unknown on line 05.3.3-alpha-47137
"not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed."
I tried ad-hoc signing it:
codesign --force --deep -s - "/path/to/phpchartdir730.dll
Now the error is different:
Warning: PHP Startup: Unable to load dynamic library 'path/to/phpchartdir730.dll' (tried: path/to/phpchartdir730.dll (dlopen(path/to/phpchartdir730.dll, 9): no suitable image found. Did find: path/to/phpchartdir730.dll: code signing blocked mmap() of 'path/to/phpchartdir730.dll'), /Users/runner/runners/2.159.2/work/_temp/local-lightning-php/php-7.3.5/build/lib/php/extensions/no-debug-non-zts-20180731/path/to/phpchar in Unknown on line 05.3.3-alpha-47137
"code signing blocked mmap()" |
| Re: Loading PHP extension on MacOS Catalina - code signing? |
| Posted by Peter Kwan on Feb-15-2020 03:18 |
|
Hi Steven,
We have previous tested ChartDirector using the XAMPP on Catalina and it works normally. I have just downloaded and try Local by Flywheel application and tried it. It seems to be a distribution for WordPress development and it includes ngnix and PHP.
What I found is that the PHP it used is code signed in a way that only allow loading shared objects under certain conditions. (In macOS, when the code is signed, it can also include "entitlements" that specify what it can do, and what it cannot do.) I remembered reading some Apple documentation that mentions in some cases, the shared object has to be signed by the same party that signed the hosting executable. I am not sure if this is the case or is due to some other issue. In any case, there is one easy method to solve the problem. It is to unsigned the PHP to remove the restriction. (As you probably know, except for "platform binaries", anyone can sign and unsign any executable he likes.)
I found that the Local app is using the fpm type of PHP located at:
/Applications/Local.app/Contents/Resources/extraResources/lightning-services/php-7.3.5+3/bin/darwin/sbin/php-fpm
To unsigned it, shutdown the Local app, then open a terminal shell, "cd" to the above directory, then issue:
codesign --remove-signature php-fpm
The restart the Local app. In my case, it loads ChartDirector successfully.
For your information, almost all scripting languages included in macOS (such as Python, Perl. Ruby) does not have the mmap restrictions and can load ChartDirector normally. The Apache/PHP included in macOS is an exception in that it is classified as "platform binary", which is even more restrictive than mmap. I think removing the restriction should be OK as even many of Apple own executables do not have this restrictions, and as far as I know, the default PHP build (when you build directly from source) do not have this restriction.
Regards
Peter Kwan |
| Re: Loading PHP extension on MacOS Catalina - code signing? |
| Posted by Steven on Feb-17-2020 22:01 |
|
Hi Peter,
I appreciate your detailed replies. When you test this are you able to see the ChartDirector PHP demo working? I am seeing the same error. I ran this without issue:
cd /Applications/Local.app/Contents/Resources/extraResources/lightning-services/php-7.3.5+3/bin/darwin/sbin;
codesign --remove-signature php-fpm
Then, I restarted the Local app and started the site. At this point I saw the warning mentioning code signing on the "WordPress Version" line for the site's overview in Local.
Screenshot: https://www.dropbox.com/s/8p1x2jgn76dxa5o/Screen%20Shot%202020-02-17%20at%207.40.35%20AM.png?dl=0
Warning: PHP Startup: Unable to load dynamic library '/path/to/phpchartdir730.dll' (tried: /path/to/phpchartdir730.dll (dlopen(/path/to/phpchartdir730.dll, 9): no suitable image found. Did find: /path/to/phpchartdir730.dll: code signature in (/path/to/phpchartdir730.dll) not valid for use in process using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.), /Users/runner/runners/2.159.2/work/_temp/local-lightning-php/php-7.3.5/build/lib/php/extensions/no-debug-non-z in Unknown on line 05.3.3-alpha-47137
I re-downloaded ChartDirector PHP for Mac and ran xattr -c chartdir_php_mac.tar.gz on it before doing this. |
| Re: Loading PHP extension on MacOS Catalina - code signing? |
| Posted by Steven on Feb-17-2020 22:06 |
|
Interesting. I confirmed php-fpm is in fact not code signed.
$ codesign -dv --verbose=4 php-fpm
php-fpm: code object is not signed at all |
| Re: Loading PHP extension on MacOS Catalina - code signing? |
| Posted by Peter Kwan on Feb-18-2020 13:40 |
|
Hi Steven,
Sorry, the correct PHP to unsigned should be at:
/Applications/Local.app/Contents/Resources/extraResources/lightning-services/php-7.3.5+3/bin/darwin/bin/php
The issue is "Library Validation". When an executable is code-signed, it can specify a list of "entitlements". If "Library Validation" is activated, it may only load shared objects signed by the same id that signed the host executable. If the host executable is not code-signed, there should not be "Library Validation".
When I did the testing a few days ago, I actually found four PHP executables in the Local app and they are all signed. (There are also other executables in the Local app but they are unsigned.) I tried many things and I thought I got it working when I unsigned the "darwin/sbin/php-fpm". But in fact it was the "darwin/bin/php" that I unsigned earlier.
Regards
Peter Kwan |
| Re: Loading PHP extension on MacOS Catalina - code signing? |
| Posted by Steven on Feb-18-2020 22:48 |
|
| Thank you, Peter. I have it working now. I appreciate you digging so deep for me. |
|
Forum Home
Search
Message List
Post Message