macOS 26 (Tahoe): NACKeyEstablishment PAC-protected, mac-registration-provider broken #21
Description
mac-registration-provider was just archived (Apr 1, 2026). On macOS 26.3.1 (25D2128, arm64e), NACKeyEstablishment and NACSign crash with SIGABRT because they're now PAC-protected trampolines (braa x9, x17) instead of direct callable functions.
NACInit at offset 0x664de8 still works (sanity check returns -44023, full init with cert works). But KeyEstablishment at 0x75e91c is a PAC dispatch stub that crashes when called via function pointer cast.
Impact
- Cannot generate validation data on macOS 26
- Blocks all non-relay registration flows
- mac-registration-provider (now archived) cannot be fixed upstream
How does OpenBubbles handle validation data generation on macOS 26? Does the app use a different mechanism than mac-registration-provider's direct NAC function calls?
Workaround attempted
ptrauth_sign_unauthenticated— same crash- Calling functions adjacent to NACInit — wrong signatures
- IDSValidationSession ObjC runtime — requires entitlements, crashes without them
Binary info
- identityservicesd SHA256:
3a674a0f5dcb05b404a3042d56c637b24466307dd608c790bef2f666d0ff927c - NACInit:
0x664de8(32KB function, works) - IDSProtoKeyTransparencyTrustedServiceReadFrom:
0x0cea08