Post not yet marked as solved
Post marked as unsolved with 0 replies, 553 views
Hi,
I've recently successfully signed and notarized my application. My application is written in Python so I am unable to to use the Xcode workflow and instead use Pyinstaller to package followed by the codesign command:
codesign --deep --force --options=runtime --entitlements entitlements.plist --sign developer-id-hash --timestamp network_visualizer.app
Everything works using this entitlements file when signing according to Pyinstallers specifications:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
Now, an issue occurs (even though I can sign, notarize, and distribute my application) I am losing a critical function which is opening up a network interface for sniffing traffic (pcapy open_live function). It works on my M1 Macbook when downloaded from the Internet, but not on a friends Intel Macbook -- same MacOS Monterey. I figure it has something to do with requiring elevated permissions so I assume that I should add additional entitlements when code signing. After some investigation I decide to try to add these additional entitlements:
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
</array>
Before I can even test this, my app fails execution with Termination Reason: CODESIGNING. I then proceed to create a provisional profile through the developer.apple.com website. I successfully download and install this provisioning profile and include a copy in the app directory:
network_visualizer.app/Content/embedded.provisionprofile
The provisoning profile has the networkextension enabled and is correctly recognized using a dummy app built in Xcode. How do I get codesign to recognize the provisioning profiile when signing?