macOS 10.15 Catalina adds some security enforcement features, including strict signature checks for binaries.
On macOS, GateKeeper is your security buddy. It prevents your system to open malicious software and has been updated and strictened over the years.
In macOS 10.15 Catalina, any binary file loaded by a software is by default considered suspicious, especially if you download it from a web browser. Any downloaded file is put in quarantine by the system, by setting com.apple.quarantine
extended attribute. This applies to PHP extensions, materialized by .so
files (shared object files).
Issue description
If you have manually downloaded and installed the PHP probe, you may encounter the following issue when running PHP:
A system popup appears, displaying the following error message: "blackfire.so can't be opened because Apple cannot check it for malicious software"
Warning: PHP Startup: Unable to load dynamic library '/usr/local/Cellar/blackfire-php73/1.30.0/blackfire.so' (tried: /usr/local/Cellar/blackfire-php73/1.30.0/blackfire.so (dlopen(/usr/local/Cellar/blackfire-php73/1.30.0/blackfire.so, 9): no suitable image found. Did find:
/usr/local/Cellar/blackfire-php73/1.30.0/blackfire.so: code signature in (/usr/local/Cellar/blackfire-php73/1.30.0/blackfire.so) not valid for use in process using Library Validation: library load disallowed by system policy
/usr/local/Cellar/blackfire-php73/1.30.0/blackfire.so: stat() failed with errno=22), /usr/local/lib/php/pecl/20180731//usr/local/Cellar/blackfire-php73/1.30.0/blackfire.so.so (dlopen(/usr/local/lib/php/pecl/20180731//usr/local/Cellar/blackfire-php73/1.30.0/blackfire.so.so, 9): image not found)) in Unknown on line 0
Check the binary signature
You may check that the binary is the one we officially distribute by checking its signature and integrity, as described in Apple Code Sigining documentation, thanks to codesign
command.
This command confirms whether the code binaries are actually signed, the signature is valid, all the sealed components are unaltered, and the signature passes some basic consistency checks.
codesign -vvvv blackfire.so
The command above should output the following:
blackfire.so: valid on disk
blackfire.so: satisfies its Designated Requirement
Workarounds
The quick and easy way
-
With your terminal, go to the directory where you installed
blackfire.so
; -
Run
xattr blackfire.so
;
It should displaycom.apple.quarantine
; -
Run
xattr -d com.apple.quarantine blackfire.so
; -
You can now use PHP and Blackfire safely.
Using System Preferences
-
Go to System Preferences / Security and Privacy / General;
-
You will see a note saying that "blackfire.so is blocked from use because it is not from an identified developer";
-
Click on "Allow anyway" button;
-
Run PHP again;
-
The system popup will be displayed again, but now you have an "Open" button;
-
Click on "Open" button;
-
You can now use PHP and Blackfire safely;