macos pkcs11-tool not load YubiKey module

[Andrysky]

Problem Description / Steps to reproduce

opensc-tool --version
OpenSC-0.21.0, rev: 3018098, commit-time: 2020-11-24 10:12:21 +0100

opensc-tool -l   
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Yubico YubiKey OTP+FIDO+CCID

pkcs11-tool --module /usr/local/lib/libykcs11.dylib -L 
sc_dlopen failed: dlopen(/usr/local/lib/libykcs11.dylib, 1): no suitable image found.  Did find:
	/usr/local/lib/libykcs11.dylib: code signature in (/usr/local/lib/libykcs11.dylib) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs
error: Failed to load pkcs11 module
Aborting.

macos 10.15.7 (19H114)
yubico-piv-tool 2.1.1

Logs

debug = 3; - not work for pkcs11-tool 

[frankmorgner]

A possible solution could be to disable binary verification for the commandline tools. However, I'm not sure if there's a better solution which allows loading a third party PKCS#11 module with that security check in place.

[Andrysky]

what I understood correctly - is the yubikey module unsigned? or your?

[frankmorgner]

open-eid/osx-installer#36 indicates that pkcs11-tool should be signed with disabled binary verification to fix this problem

[gdbelvin]

pkcs11-tool is signed and yubihsm_pkcs11.dylib is signed but with a different teamID

➜  hsm-test-ca codesign --verify --deep --strict --verbose=2 `which pkcs11-tool`
/usr/local/bin/pkcs11-tool: valid on disk
/usr/local/bin/pkcs11-tool: satisfies its Designated Requirement
➜  hsm-test-ca codesign --verify --deep --strict --verbose=2 /usr/local/lib/pkcs11/yubihsm_pkcs11.dylib
/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib: valid on disk
/usr/local/lib/pkcs11/yubihsm_pkcs11.dylib: satisfies its Designated Requirement
➜  hsm-test-ca codesign --verify --deep --strict --verbose=2 /usr/local/lib/libykcs11.dylib
/usr/local/lib/libykcs11.dylib: code object is not signed at all
In architecture: x86_64

pkcs11-tool --module  /usr/local/Cellar/p11-kit/0.23.22/lib/pkcs11/yubihsm_pkcs11.dylib  -l --pin 0001password -O
sc_dlopen failed: dlopen(/usr/local/Cellar/p11-kit/0.23.22/lib/pkcs11/yubihsm_pkcs11.dylib, 1): no suitable image found.  Did find:
	/usr/local/Cellar/p11-kit/0.23.22/lib/pkcs11/yubihsm_pkcs11.dylib: code signature in (/usr/local/Cellar/p11-kit/0.23.22/lib/pkcs11/yubihsm_pkcs11.dylib) not valid for use in process using Library Validation: mapping process and mapped file (non-platform) have different Team IDs
error: Failed to load pkcs11 module
Aborting.

[Andrysky]

why does ssh work with libykcs11.dylib without problems?

[dengert]

Your last example is using p11-kit which has its own set of modules. Try using pkcs11-tool without p11-kit.