lxml

macOS built libraries do not specify SDK version

Bug #1944786 reported by Vachik
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lxml
New
Undecided
Unassigned

Bug Description

installed the latest wheel on python 3.8.10 on macos

lxml-4.6.3-cp38-cp38-macosx_10_9_x86_64.whl

and tried to codesign .so libraries packaged into application bundle using pyinstaller.
Notice the warning below:

Library validation warning=OS X SDK version before 10.9 does not support Library Validation

And the output shows SDK version as 9.4.1
This is needed at minimum 10.9 to ensure that Apple's notarization service can check and notarize the application.

Otherwise the errors from the notary service:
  "issues": [
    {
      "severity": "error",
      "code": null,
      "path": "Agent.app/Contents/MacOS/lxml/etree.cpython-38-darwin.so",
      "message": "The binary uses an SDK older than the 10.9 SDK.",
      "docUrl": null,
      "architecture": "x86_64"
    },
    {
      "severity": "error",
      "code": null,
      "path": "Agent.app/Contents/MacOS/lxml/objectify.cpython-38-darwin.so",
      "message": "The binary uses an SDK older than the 10.9 SDK.",
      "docUrl": null,
      "architecture": "x86_64"
    }

% codesign -dvvvv objectify.cpython-38-darwin.so
Executable=/.../path/.../objectify.cpython-38-darwin.so
Identifier=objectify.cpython-38-darwin
Format=Mach-O thin (x86_64)
CodeDirectory v=20400 size=26388 flags=0x2(adhoc) hashes=819+2 location=embedded
*********!!!!!!!!!!!!!!
Library validation warning=OS X SDK version before 10.9 does not support Library Validation

VersionPlatform=1
VersionMin=657664 <<<< ------ min macOS version = 10.9
VersionSDK=590849 <<<< ------ macOS SDK version 9.4.1 ???
*********!!!!!!!!!!!!!
Hash type=sha256 size=32
CandidateCDHash sha1=94a7a5f55763d9fa77bd0cb2b690abb2b3adc8df
CandidateCDHashFull sha1=94a7a5f55763d9fa77bd0cb2b690abb2b3adc8df
CandidateCDHash sha256=94b089c7c2be9d87c57448e8b5d1eea52a987335
CandidateCDHashFull sha256=94b089c7c2be9d87c57448e8b5d1eea52a98733540b7a287518910d40d9efb62
Hash choices=sha1,sha256
CMSDigest=0cfc8bd5b35e68c3b40607e7c9d7a5f74faa723400751b0479baeaf150046eec
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=2920448
Executable Segment flags=0x0
Page size=4096
CDHash=94b089c7c2be9d87c57448e8b5d1eea52a987335
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

Revision history for this message
Vachik (vachooho) wrote :

Interesting, the other .so in the package are compiled correctly, so the issue applies only to the 2 modules mentioned above, etree- and objectify...

% codesign -dvvvv ./Agent.app/Contents/MacOS/lxml/sax.cpython-38-darwin.so
Executable=Agent.app/Contents/MacOS/lxml/sax.cpython-38-darwin.so
Identifier=sax.cpython-38-darwin
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=1825 flags=0x10000(runtime) hashes=51+2 location=embedded
VersionPlatform=1
VersionMin=657664
VersionSDK=658688
Hash type=sha256 size=32
CandidateCDHash sha1=97baab735b4e9e93cf2c7e45be37105172e586fb
CandidateCDHashFull sha1=97baab735b4e9e93cf2c7e45be37105172e586fb
CandidateCDHash sha256=de5e948fc999327095751d4837a3bf7e33e20ec2
CandidateCDHashFull sha256=de5e948fc999327095751d4837a3bf7e33e20ec27631f3ce88e66d813ab45f16
Hash choices=sha1,sha256
CMSDigest=fddb014892c740ed0544015fd39702d67c87ec75f6f4a7fb414218176fc21777
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=131072
Executable Segment flags=0x0
Page size=4096
CDHash=de5e948fc999327095751d4837a3bf7e33e20ec2
Signature size=9200
Authority=***************************
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Timestamp=Sep 24, 2021 at 11:03:15 AM
Info.plist=not bound
TeamIdentifier=*********
Runtime Version=10.13.0
Sealed Resources=none
Internal requirements count=1 size=196

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.