Hi!
I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3.
I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift):
func requestActivation() {
guard case .idle = status
else { fatalError("Invalid state") }
print("Requesting activation of extension \"\(extensionIdentifier)\"")
let req = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifier, queue: DispatchQueue.main)
req.delegate = self
OSSystemExtensionManager.shared.submitRequest(req)
status = .requested
}
I'm getting an error:
OSSystemExtensionErrorDomain error 8: Code Signature Invalid
which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out?
I'm posting here entitlements and codesign output for my extension and containing application for further information.
kdg@admins-Mac-mini SystemExtensions % codesign -d --entitlements - ./com.visicom.VirtualCamera.avextension.systemextension
Executable=/Applications/VirtualCamera.app/Contents/Library/SystemExtensions/com.visicom.VirtualCamera.avextension.systemextension/Contents/MacOS/com.visicom.VirtualCamera.avextension
[Dict]
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 6SUWV7QQBJ.com.visicom.VirtualCamera
kdg@admins-Mac-mini /Applications % codesign -d --entitlements - ./VirtualCamera.app
Executable=/Applications/VirtualCamera.app/Contents/MacOS/VirtualCamera
[Dict]
[Key] com.apple.developer.system-extension.install
[Value]
[Bool] true
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 6SUWV7QQBJ.com.visicom.VirtualCamera
[Key] com.apple.security.files.user-selected.read-only
[Value]
[Bool] true
kdg@admins-Mac-mini SystemExtensions % codesign -dvvv ./com.visicom.VirtualCamera.avextension.systemextension
Executable=/Applications/VirtualCamera.app/Contents/Library/SystemExtensions/com.visicom.VirtualCamera.avextension.systemextension/Contents/MacOS/com.visicom.VirtualCamera.avextension
Identifier=com.visicom.VirtualCamera.avextension
Format=bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1553 flags=0x10700(hard,kill,expires,runtime) hashes=37+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=25bd80657bfd6e0ab95467146c7b532817e9e520
CandidateCDHashFull sha256=25bd80657bfd6e0ab95467146c7b532817e9e5209fd50b0cb7ceef40dcfb40e8
Hash choices=sha256
CMSDigest=25bd80657bfd6e0ab95467146c7b532817e9e5209fd50b0cb7ceef40dcfb40e8
CMSDigestType=2
CDHash=25bd80657bfd6e0ab95467146c7b532817e9e520
Signature size=9006
Authority=Developer ID Application: Visicom Media Inc. (6SUWV7QQBJ)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=7 Jul 2022, 21:49:32
Info.plist entries=23
TeamIdentifier=6SUWV7QQBJ
Runtime Version=12.3.0
Sealed Resources version=2 rules=13 files=0
Internal requirements count=1 size=200
kdg@admins-Mac-mini /Applications % codesign -dvvv ./VirtualCamera.app
Executable=/Applications/VirtualCamera.app/Contents/MacOS/VirtualCamera
Identifier=com.visicom.VirtualCamera
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1989 flags=0x10700(hard,kill,expires,runtime) hashes=51+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=31e15fbbd436a67a20c5b58c597d8a4796a67720
CandidateCDHashFull sha256=31e15fbbd436a67a20c5b58c597d8a4796a6772020308fb69f4ee80b4e32788b
Hash choices=sha256
CMSDigest=31e15fbbd436a67a20c5b58c597d8a4796a6772020308fb69f4ee80b4e32788b
CMSDigestType=2
CDHash=31e15fbbd436a67a20c5b58c597d8a4796a67720
Signature size=9006
Authority=Developer ID Application: Visicom Media Inc. (6SUWV7QQBJ)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=7 Jul 2022, 21:58:09
Info.plist entries=20
TeamIdentifier=6SUWV7QQBJ
Runtime Version=12.3.0
Sealed Resources version=2 rules=13 files=4
Internal requirements count=1 size=188
Thanks in advance!
Post
Replies
Boosts
Views
Activity
Hi!I have a CoreMediaIO DAL Plug-in, and it often has to work in a sandboxed environment, since more and more containing applications are sandboxed nowadays: QuickTime, FaceTime, PhotoBooth, Safari WebProcess, etc. So since my plug-in is sandboxed, I decided to separate some functionality to an XPC service, as suggested by Apple:"In rare cases, your app might have a small piece of functionality that cannot be sandboxed. Rather than abandon App Sandbox altogether, you might relegate the ineligible code to an XPC service that is not sandboxed. It is easier to secure a smaller piece of code than a larger one, and in this way, the bulk of your app enjoys the benefits of App Sandbox."So I created XPC Service, placed it into my plug-in bundle, inside XPCServices folder, and signed service and entire bundle with codesign.Now the problem is that my XPC Service seems to be blocked by macOS and naturally no XPC connection is established between plug-in and service. Right when plug-in is loaded into app, the following message appears in console:16/08/18 11:27:22,747 com.apple.xpc.launchd[1] (com.apple.xpc.launchd.domain.pid.QuickTime Player.4316) Path not allowed in target domain: type = pid, path = /Library/CoreMediaIO/Plug-Ins/DAL/MyVideoDeviceCMIO.plugin/Contents/XPCServices/MyVideoDeviceXPCService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/QuickTime Player.appThen, when I callxpc_connection_t conn = xpc_connection_create("com.MyCompany.VideoDevice.xpc", NULL);the following error appears:16/08/18 11:27:24,585 com.apple.appkit.xpc.openAndSavePanelService[4318] assertion failed: 15E65: libxpc.dylib + 78986 [2CC7CF36-66D4-301B-A6D8-EBAE7405B008]: 0x89Btw, if app is not sandboxed (e.g. Skype), my XPC Service works as expected, no errors appear in Console. It works even when plug-in bundle doesn't have code signature. The problem is only for sandboxed applications, i.e. apps that have .entitlements file embedded in code signature, with the following lines:<key>com.apple.security.app-sandbox</key><true/>So what am I doing wrong?