//
you're reading...

Programming

How to Compile OpenSSL 1.1.1 for Apple Silicon

You have an app on the Mac App Store which depends on OpenSSL for receipt validation, among other things. This validation may be done through Receigen, Swifty Receipt Validator, or your own home-grown receipt validation logic.

But Apple recently announced another instruction set that you need to support in your mac app: ARM64. These new machines could come as early as Big Sur’s general availability, which is likely in October 2020. This means that you have about three months left to update your macOS application.

Unfortunately CocoaPods hasn’t offer any OpenSSL distributions for Apple Silicon macintosh computers yet. Sure there are a few pre-compiled ARM64 binaries but those links against iOS frameworks, not macOS.

Wouldn’t it be great if you have your Mac App ready for Apple Silicon on the same day Big Sur is on Golden Master?

Here are the steps that you need to do to get a copy of OpenSSL ready for inclusion in your Universal 2 application for the Mac:

  1. Download OpenSSL 1.1.1g sources.
  2. Extract the archive into two different folders, one for Intel and the other for ARM instruction sets, respectively.
  3. Configure and compile each separately.
  4. Join results of the two together to create a Universal Library.

In this article I’m going to assume that you are going to extract OpenSSL sources into sibling folders with the following names:

  • openssl-1.1.1g-x86_x64 – for the Intel build.
  • openssl-1.1.1g-arm64 – for the ARM build.

Building the Intel Half

Building the x86_64 portion would be straight-forward since this is currently supported by OpenSSL 1.1.1g. You need to extract the OpenSSL sources into a dedicated folder for the architecture, run configure and then make. Optionally set the macOS deployment target if you need your app to run on earlier versions of the operating system.

You can find an example below. Pay special attention on the arguments to the Configure script.

## Specify minimum deployment target as needed by your app
$ export MACOSX_DEPLOYMENT_TARGET=10.13

$ cd openssl-1.1.1g-x86_x64
$ ./Configure darwin64-x86_64-cc shared
$ caffeinate make

By the time make completes, you should get four files that comprises of the static and dynamic libraries of OpenSSL.

  • libssl.1.1.dylib
  • libcrypto.1.1.1.dylib
  • libssl.a
  • libcrypto.a

Building the ARM Half

However the arm64 portion requires changes to OpenSSL’s build configuration as the macOS build of the instruction set is not currently supported by the library.

Having extracted the OpenSSL sources (be sure extract it into a separate location than the one you’ve used to build the Intel portion), then modify file Configurations/10.main.conf to add the macOS arm64 build configuration. Add the following snippet at around line 1560, right under the entry for “darwin64-x86_64-cc”.

"darwin64-arm64-cc" => {
    inherit_from     => [ "darwin-common", asm("aarch64_asm") ],
    CFLAGS           => add("-Wall"),
    cflags           => add("-arch arm64 -isysroot /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk"),
    lib_cppflags     => add("-DL_ENDIAN"),
    bn_ops           => "SIXTY_FOUR_BIT_LONG",
    perlasm_scheme   => "macosx",
},

(Special thanks to OpenSSL PR 12254 for the above configuration snippet).

When you’re done, the file should look like the following:

OpenSSL macOS ARM64 Configuration

Then run Configure and make similar to before. Take note that the Configure script takes a different set of arguments.

% cd openssl-1.1.1g-arm64
% ./Configure shared enable-rc5 zlib darwin64-arm64-cc no-asm
% caffeinate make

By the time make completes, you would get four files that comprises of the static and dynamic libraries of OpenSSL, having the same file names as the ones previously compiled for Intel. This is why you should create a copy for each architecture and compile it in two different folders.

Creating Universal Libraries

Having the libraries compiled for the respective Intel and ARM64 instruction sets, the last step would be combining the two halves of the each library file into their respective universal library files. Use lipo for this, as follows.

% mkdir openssl-mac

% lipo -create openssl-1.1.1g-arm64/libcrypto.1.1.dylib openssl-1.1.1g-x86_x64/libcrypto.1.1.dylib  -output openssl-mac/libcrypto.1.1.1.dylib

% lipo -create openssl-1.1.1g-arm64/libssl.1.1.dylib openssl-1.1.1g-x86_x64/libssl.1.1.dylib -output openssl-mac/libssl.1.1.dylib

% lipo -create openssl-1.1.1g-arm64/libcrypto.a openssl-1.1.1g-x86_x64/libcrypto.a -output openssl-mac/libcrypto.a

% lipo -create openssl-1.1.1g-arm64/libssl.a openssl-1.1.1g-x86_x64/libssl.a -output openssl-mac/libssl.a

When you’re done combining the library files, check them using the file tool and verify that indeed you have a universal library.

% file libcrypto.a

libcrypto.a: Mach-O universal binary with 2 architectures: [x86_64:current ar archive random library] [arm64]
libcrypto.a (for architecture x86_64):  current ar archive random library
libcrypto.a (for architecture arm64):   current ar archive random library

If you use OpenSSL for license validation, you should use the static library version. Which are the libcrypto.a and libssl.a files. Static linking reduces the risk of code injection via library replacement. In other words, it’ll be harder to for crackers to replace the OpenSSL libraries inside your app bundle and make your app use their compromised replacement version instead.

Nevertheless if you use OpenSSL as dynamic libraries, then you would need to change its install names be embeddable into your app bundle’s Frameworks folder. Plain compilation of OpenSSL dynamic libraries are meant to be installed in a shared folder.

Use install_name_tool on the dynamic versions of the library files as follows:

% cd openssl-mac

% install_name_tool -id '@rpath/libcrypto.1.1.1.dylib' libcrypto.1.1.1.dylib

% install_name_tool -id '@rpath/libssl.1.1.dylib' libssl.1.1.dylib

As always, it’ll be prudent to check your work. Use otool -D to print the install name of a dynamic library.

% otool -D libssl.1.1.dylib 

libssl.1.1.dylib:
@rpath/libssl.1.1.dylib

Next Steps

In case you’re in a hurry, I’ve compiled these libraries for you that you can download and drop them into your project. These were built on Xcode 12 Beta 4 running on the Apple Silicon version of Big Sur. These library files are temporary stop-gap until OpenSSL officially support Apple Silicon.

This article was tested with Xcode 12 Beta 4 running on the Apple Silicon version of Big Sur Beta 4. You don’t need an Apple Silicon mac to compile libraries or applications for the processor — Xcode 12 can produce ARM64 binaries even when running on Intel macs. However to test the ARM64 half of a Universal Binary you would need an Apple Silicon mac.

An Apple Silicon mac can run both the Intel and the ARM64 portions of a universal binary application. But not the other way around. Intel binaries are emulated under Rosetta 2 on Apple Silicon, but there is no emulation of ARM64 on Intel-based mac.

But even when you don’t have an Apple Silicon Mac (yet), merely compiling for Universal Binary would be a good start. You’ll know which pre-built 3rd party libraries to update, for which OpenSSL is likely one of several. There are likely ARM-related compiler warnings to heed out for.

Why wait? Get your Xcode Beta copy today and start building your Mac app for ARM64!

Until next time.



Do you enjoy this post? Enter your e-mail address in the form below to receive:

  • A cheat sheet on how to pass App Review Guideline 4.2 “Minimum Functionality”.
  • Notifications of new articles as soon as they are published.
  • Occasional tips and updates about my work.

You can unsubscribe any time and I won’t share your e-mail to any third party.

* indicates required

Discussion

3 Responses to “How to Compile OpenSSL 1.1.1 for Apple Silicon”

  1. Thank you for the guide. I can compile it for Apple silicon successfully, and there is no problem to compile my Xcode project for “My Mac (Rosetta)” on the DTK Mac. But there is problem when compiling for “My Mac” (for Apple Silicon), even using the .a files you provided directly.

    Mac: DTK
    OS: Big Sur beta 7
    Xcode: Version 12.2 beta 1

    Error messages:

    Undefined symbols for architecture arm64:
    deflate”, referenced from:
    _zlib_stateful_compress_block in libcrypto.a(c_zlib.o)
    _bio_zlib_write in libcrypto.a(c_zlib.o)
    _bio_zlib_ctrl in libcrypto.a(c_zlib.o)
    “_deflateEnd”, referenced from:
    _zlib_stateful_finish in libcrypto.a(c_zlib.o)
    _bio_zlib_free in libcrypto.a(c_zlib.o)
    “_deflateInit
    “, referenced from:
    zlib_stateful_init in libcrypto.a(c_zlib.o)
    _bio_zlib_write in libcrypto.a(c_zlib.o)
    “_inflate”, referenced from:
    _zlib_stateful_expand_block in libcrypto.a(c_zlib.o)
    _bio_zlib_read in libcrypto.a(c_zlib.o)
    “_inflateEnd”, referenced from:
    _zlib_stateful_finish in libcrypto.a(c_zlib.o)
    _bio_zlib_free in libcrypto.a(c_zlib.o)
    “_inflateInit
    “, referenced from:
    _zlib_stateful_init in libcrypto.a(c_zlib.o)
    _bio_zlib_read in libcrypto.a(c_zlib.o)
    “_zError”, referenced from:
    _bio_zlib_write in libcrypto.a(c_zlib.o)
    _bio_zlib_read in libcrypto.a(c_zlib.o)
    _bio_zlib_ctrl in libcrypto.a(c_zlib.o)

    ld: symbol(s) not found for architecture arm64

    If it’s convenient for you, would you please help to let me know the direction to resolve the issues?

    Thank you.

    Posted by Philip | 2020-09-21, 06:05
  2. Great! Thank you very much.

    Posted by LTP | 2020-08-23, 00:37
  3. Great job. Thanks. I followed your instructions. Everything was precise and correct. Activity Monitor shows Apple silicon for CPU and I am able to validate App Store credentials. Let me know if you would like a free license for EazyDraw – thanks again.

    Posted by Dave Mattson | 2020-08-12, 00:33

Leave a Reply

%d bloggers like this: