Reputation: 2007
Zoom for Mac 4.6.9, which addresses scary security flaws, removes the disable-library-validation entitlement.
With the same release, Snap Camera, a virtual webcam app, stopped working.
I'm not familiar with the particular APIs you use to build a virtual webcam, but it looks like it involves CoreMediaIO
plugins:
Creating a Virtual Webcam Device for OS X
> otool -L /Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera
/Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera:
libSnapCamera.dylib (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1452.23.0)
/System/Library/Frameworks/CoreMedia.framework/Versions/A/CoreMedia (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CoreMediaIO.framework/Versions/A/CoreMediaIO (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo (compatibility version 1.2.0, current version 1.5.0)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1452.23.0)
/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
/System/Library/Frameworks/IOSurface.framework/Versions/A/IOSurface (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)
Out of curiosity, I tried a couple other virtual webcams -- Iriun Webcam and EpocCam –- and they behave similarly. Both have CoreMediaIO plugins, and neither works with recent Zoom.
All three virtual cameras work in Microsoft Teams, which has the entitlement:
> codesign -d --entitlements :- /Applications/Microsoft\ Teams.app/ |grep valid
Executable=/Applications/Microsoft Teams.app/Contents/MacOS/Teams
<key>com.apple.security.cs.disable-library-validation</key>
They also work in Google Chrome (on this test page). It looks like at least one of Chrome's helpers has the entitlement:
codesign -d --entitlements :- /Applications/Google\ Chrome.app/Contents/Frameworks/Google\ Chrome\ Framework.framework/Versions/81.0.4044.92/Helpers/Google\ Chrome\ Helper\ \(Plugin\).app
Executable=/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/81.0.4044.92/Helpers/Google Chrome Helper (Plugin).app/Contents/MacOS/Google Chrome Helper (Plugin)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
I've also noticed that the plugin appears in Activity Monitor's Open Files and Ports for a couple processes belonging to Teams and Chrome. (/Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera
)
How do CoreMedia Virtual Webcam plugins work, and do they inherently conflict with Library Validation? (e.g., loading a library into the camera-using process in a way that's no longer permitted)
Is it no longer possible to create Virtual Webcams on MacOS without running afoul of Hardened Runtime?
Update 4/19: Zoom's changelog for 4.6.10 now says "Zoom has temporarily removed virtual camera support.". It'll be interesting see see if/how they reenable it. (perhaps limiting the entitlement to a helper process that's only used when needed?)
Upvotes: 16
Views: 6098
Reputation: 1
To restore ecamm.com iGlasses virtual cam functionality in MS Teams, had previously removed just this code signature:
sudo codesign --remove-signature /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft\ Teams\ Helper.app
as per: https://support.ecamm.com/en/articles/4343963-virtual-camera-missing-after-microsoft-teams-update
But with latest (MacOS 10.15.7, MS Teams 1.00.326266), in my case, I found that removing two more code signatures, as per https://stackoverflow.com/users/14049551/tatorpitt, was necessary before iGlasses functionality was restored:
sudo codesign --remove-signature /Applications/Microsoft\ Teams.app
sudo codesign --remove-signature /Applications/Microsoft\ Teams.app/Contents/MacOS/Teams
Upvotes: 0
Reputation: 1
Had the same issue with Teams and EpocCamHD; three components you have to remove code signing from:
sudo codesign --remove-signature /Applications/Microsoft\ Teams.app
sudo codesign --remove-signature /Applications/Microsoft\ Teams.app/Contents/MacOS/Teams
sudo codesign --remove-signature /Applications/Microsoft Teams.app/Contents/Frameworks/Microsoft\ Teams\ Helper.app
Upvotes: 0
Reputation: 61
I had the same problem with Microsoft Skype for MacOS (8.61.0.95) on Catalina 10.15.5
I was able to fix this by going to
cd /Applications/Skype.app/Contents/Frameworks
and then removing the signatures for all the .app parts of Skype, i.e.
codesign --remove-signature Skype\ Helper.app
codesign --remove-signature Skype\ Helper\ \(GPU\).app
codesign --remove-signature Skype\ Helper\ \(Plugin\).app
codesign --remove-signature Skype\ Helper\ \(Renderer\).app
Afterwards, restart Skype.
Now in the Settings, when you select the Camera, you should see CamTwist and CamTwist (2VUY) appear.
Similar fix works with zoom:
codesign --remove-signature /Applications/zoom.us.app\
Upvotes: 5