I am seeing a similar problem. SecCodeCheckValidityWithErrors fails in the system/network extension and it appears the mds.lock file is the problem.The system extension is running as root (euid == 0) and within the depths of the Security framework (libsecurity_mds/lib/MDSSession.cpp to be exact), the file /private/var/db/mds/system/mds.lock is being accessed because of special-cased functionality for euid==0. However, the App Sandbox disallows access to the mds.lock file.FB7644780