Darling logo

Thursday, August 24, 2017

Lessons Learned While Building Security.framework


Security.framework provides many public APIs, including those for authentication, authorization, the keychain, codesigning, and cryptography. It is open source, included in every release for macOS on Apple Open Source. Covered by the Apple Open Source License, we are able to include it in the Darling source tree and distribute it. While the majority of projects on AOS are from BSD (with Apple's own modifications), a good deal of system frameworks are there for us to include in Darling, such as WebKit, WebCore, JavaScriptCore, Heimdal, and SmartCardServices. Using Apple's own code wherever possible is the fastest way to 100% compatibility. While Apple is still no champion of FLOSS by any means, this is a privilege we have that the WINE project does not because Microsoft makes far less of their code open source. Security dispatches it's cryptography routines to CoreCrypto and CoreTLS (which also uses CoreCrypto). Both are sublibraries of libsystem. The original source of CoreTLS is APSL licensed and currently part of Darling. The source code of CoreCrypto is available from Apple's website but it is released under a license that doesn't permit redistribution and requires you to delete it after 90 days, to name a few conditions. As a result, Darling has a few CoreCrypto functions reimplemented and the rest have stubs. Building it is not as simple as the simple ./configure && make && sudo make install that we sometimes take for granted. Security uses the proprietary Xcode as a build system. In order to make Security part of Darling, we had to observe as best we could how it is built by Xcode and reproduce the setup using CMake (Darling's build system of choice).

A screenshot of all the libraries that Security links to in Xcode. Some are static libraries that make up the source code of Security, some are shared libraries, and others are frameworks.

Lessons Learned

Just because it's Apple's code doesn't mean it's necessarily all good

Security's source code was full of incorrectly capitalized header names. This is because macOS defaults to using Case-Insensitive HFS+ by default, causing these problems to not be noticed until we tried building the source when it is on EXT4, a case-sensitive filesystem. Few people chose the case-sensitive variant of HFS+ and many software suites, including some by Adobe, flat-out refuse to be installed to case-sensitive HFS+. When APFS was announced to be the default filesystem of the upcoming macOS 10.13 High Sierra, we are very disappointed that it will still be case-insensitive by default. This problem confirms that Apple uses case-insensitive filesystems for development.

Crazy setups might exist for a hidden reason

In this case, it was a bad reason. When we finished getting all the static libraries in Security to build and went to have them be linked together, a confusing issue manifested: the link failed due to duplicate symbols. We double and triple checked the macros, compile flags, and source file lists, yet despite having the same exact setup as what was in Xcode the issue remained. Later on, it was discovered that this is caused by Dead Symbol Stripping being enabled by default in Xcode and Security literally won't link without it. It was initially overlooked because only manually specified compile options in Xcode were copied over, and it was assumed that all the necessary defaults in Xcode would be the same as what clang and Apple's linker ld64 also default to.

Sometimes it is better to start over

We originally started out with Security-57337.20.44, a version of the framework from Mac OS X 10.11.3. This version turned out to be more difficult to build than the latest from macOS 10.12.4 (Security-57740.51.3) because some time between those releases, Apple refactored Security to use less individual Xcode Project files, resulting in us only having to dig through a few instead of one per sub-library. This newer version also made less use of macros. Combined, these factors made it easier to create a build system for the newer version of Security.


  1. Just wanted to say that this is a very cool project! I wish you all the best of luck.

  2. This comment has been removed by the author.

  3. Are you sure you can mix Apple Public Source License with GPLv3?

    maloader got some modifications
    (NOTE: The developer removed the GPLv3 license from the codebase. From what I know, that isn't allowable)

  4. Love the project concept. If this works out it'll definitely make it easier to convince more people to switch to Linux since most games and apps made for windows are also on macOS and that way people won't have to deal with lack of programs. Hopefully it ends up more stable than wine. On the surface it looks like that should be the case since macOS and Linux share a common ancestor. But what do I know? I'm not a dev. Kudos on the project though!

  5. So I got hitched and they revealed to me that I have to change my I.Ds at the government managed savings constructing yet I have no clue what I need...... do Genuine Leather Jacket Womens I need anything specifically? Also, do they charge for the new I.D.?

  6. Love the undertaking idea. In the event that this works out it'll certainly make it simpler to persuade more individuals to change to Linux since most games and applications made for windows are additionally on macOS and that way individuals won't need to manage absence of projects. Ideally it winds up more steady than wine. dubai yacht rental superficially it would appear that that ought to be the situation since macOS and Linux share a typical predecessor.

  7. تركيب جبس بورد بالرياض تركيب جبس بورد بالرياض
    معلم دهانات بالرياض معلم دهانات بالرياض
    ارخص نقل اثاث بجدة ارخص نقل اثاث بجدة
    فني تركيب ورق جدران بالرياض فني تركيب ورق جدران بالرياض
    نقل عفش من الدمام الى الاردن نقل عفش من الدمام الى الاردن

  8. To effectively introduce the update, web design company uninstall all the forms of the .NET Framework on the PC, and afterward reinstall all the adaptations of the .NET Framework on the PC. You may need to work through more than one of the accompanying strategies.

  9. To effectively introduce the update, web design company in australia uninstall all the variants of the .NET Framework on the PC, and afterward reinstall all the renditions of the .NET Framework on the PC.

  10. Write for us Lifestyle. Beta pressure invite visitor essayists and writers who need to contribute an article on the subjects of advanced showcasing, SEO, SMO, SMM, PPC, and substance advertising. Peruse our rules and send the article.