This pam module doesn't seem to work with the new macOS big sur any more.

Same problem

Library Validation failed: Rejecting '/usr/local/lib/pam/pam_watchid.so.2' (Team ID: none, platform: no) for process 'sudo(54344)' (Team ID: none, platform: yes), reason: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.

Okay so it needs to be signed on Big Sur. Also keep in mind the target for x64 system is "x86_64-apple-macosx10.16", at least that's true for dev beta 2.

@jankytay How did you obtain the more detailed error message? I'm attempting to sign my version of this but I can't get the more detailed output at present.

Even after signing with --options=library the error message becomes:

Library Validation failed: Rejecting '/usr/local/lib/pam/pam_watchid.so' (Team ID: T6RHPHE4L3, platform: no) for process 'sudo(16521)' (Team ID: none, platform: yes), reason: mapping process is a platform binary, but mapped file is not

From what I've been able to find, this is the result of a security move from Apple that prevents system components from loading plugins that are not system components, regardless of signature validity.

Compiled and works fine for me. macOS 11.0 DP3 Build 20A5323l

I can confirm that this seems to be resolved in macOS 11.0 DP3 Build 20A5323l for me as well - no changes and a completely unsigned .so

Even after signing with --options=library the error message becomes:

Library Validation failed: Rejecting '/usr/local/lib/pam/pam_watchid.so' (Team ID: T6RHPHE4L3, platform: no) for process 'sudo(16521)' (Team ID: none, platform: yes), reason: mapping process is a platform binary, but mapped file is not

From what I've been able to find, this is the result of a security move from Apple that prevents system components from loading plugins that are not system components, regardless of signature validity.

I should mention that my recent struggles with this are on Catalina (10.15.6), definitely caused by a very recent (within the last week?) update, as I have been using pam_watchid daily for a month or more. Hopefully this breakage is actually being reverted in Big Sur on purpose.

I'm also using it on the latest macOS Catalina version 10.15.6 and it does work for me.

@scordinskyc @rblenkinsopp

how did u guys made it to work..?

I'm also on macOS 11.0 Beta 3, only works if I disable SIP...

I just successfully configured this on Big Sur release running on Mac mini. No extra steps needed

As another data point, I just got this working on an arm mac mini. SIP off, no codesigning, only change was in Makefile TARGET=arm64-apple-macosx11.0

After trying to install this, whatever arrangement of lines in the sudo file I use I get the following error when trying to use sudo:

sudo: unable to initialize PAM: No such file or directory

I'm on 11.1, so maybe Apple has protected this file further. I haven't, and really don't want to, disable any security settings.

Works on my Intel MBP (12,1) on 11.1 (should be 20C69, don't exactly remember) (TARGET=x86_64-apple-macosx11.1) and 11.2 Beta (20D5029f) (TARGET=x86_64-apple-macosx11.2). I only modified the TARGET variable in Makefile and all default security settings were in place.

Ditto, working here on an M1 Mac Mini by changing the Makefile target to TARGET=arm64-apple-macosx11.0

Hmm, must have screwed up the build the first try. Just tried again and it worked. This time I used the TARGET that running swift -version returned. Note that on an M1 Mac this appears to be quite a different formulation for a target than on Intel Macs.

I'm on Big Sur 11.1 on an M1 Mac mini, only change was TARGET=arm64-apple-darwin20.2.0 but I'm getting Killed: 9. Any advice?