mac-registration-provider was just archived (Apr 1, 2026). On macOS 26.3.1 (25D2128, arm64e), NACKeyEstablishment and NACSign crash with SIGABRT because they're now PAC-protected trampolines (braa x9, x17) instead of direct callable functions.
NACInit at offset 0x664de8 still works (sanity check returns -44023, full init with cert works). But KeyEstablishment at 0x75e91c is a PAC dispatch stub that crashes when called via function pointer cast.
Impact
- Cannot generate validation data on macOS 26
- Blocks all non-relay registration flows
- mac-registration-provider (now archived) cannot be fixed upstream
How does OpenBubbles handle validation data generation on macOS 26? Does the app use a different mechanism than mac-registration-provider's direct NAC function calls?
Workaround attempted
ptrauth_sign_unauthenticated — same crash- Calling functions adjacent to NACInit — wrong signatures
- IDSValidationSession ObjC runtime — requires entitlements, crashes without them
Binary info
- identityservicesd SHA256:
3a674a0f5dcb05b404a3042d56c637b24466307dd608c790bef2f666d0ff927c
- NACInit:
0x664de8 (32KB function, works)
- IDSProtoKeyTransparencyTrustedServiceReadFrom:
0x0cea08
mac-registration-provider was just archived (Apr 1, 2026). On macOS 26.3.1 (25D2128, arm64e), NACKeyEstablishment and NACSign crash with SIGABRT because they're now PAC-protected trampolines (
braa x9, x17) instead of direct callable functions.NACInit at offset
0x664de8still works (sanity check returns -44023, full init with cert works). But KeyEstablishment at0x75e91cis a PAC dispatch stub that crashes when called via function pointer cast.Impact
How does OpenBubbles handle validation data generation on macOS 26? Does the app use a different mechanism than mac-registration-provider's direct NAC function calls?
Workaround attempted
ptrauth_sign_unauthenticated— same crashBinary info
3a674a0f5dcb05b404a3042d56c637b24466307dd608c790bef2f666d0ff927c0x664de8(32KB function, works)0x0cea08