Cannot build a system extension with the necessary entitlements so that it can activate while SIP is disabled

I don't know, I ran into the same issue. I've asked for entitlements, and filed a bug report (Xcode told me I should when it failed to provision the application). I would encourage you to also file a bug report, you and I are not the only people who have run into this.

I believe I found a solution. The trick is to not codesign the app or system extension in Xcode (i.e. use "Sign to Run Locally"), build it with no entitlements, and then manually sign the extension and then the app using the command line and specify the entitlements you want to include. I did so using terminal commands that looked something like this:

codesign --verify --entitlements path/to/org.name.SystemExtension.entitlements -f -s "Developer ID Application: My Name" path/to/applicationBundle.app/Contents/Library/SystemExtensions/org.name.SystemExtension.dext/
codesign --verify --entitlements path/to/applicationBundle.entitlements -f -s "Developer ID Application: My Name" path/to/applicationBundle.app

(Obviously replace the paths of the entitlement files, the system extension, the app bundle, and your signing identity with the correct ones.)

I'd love to know if there's a better way to do this. But for the time being it seems like Xcode doesn't actually support building and testing system extensions!

Thanks for posting your solution, this solved my problem for signing the dext itself, and I've now refined this further:

You don't need the workaround for the container app: you just need to create an App ID with the "system extension" capability, create a corresponding development profile in your developer account, import that onto your dev & test machines and then sign using that profile.

You also don't need to use your Developer ID certificate for signing, the normal Apple Development (or legacy Mac Development) cert/key pair will do. The signing step can be added to the dext target as an Xcode "run script" build phase:

if [ "$CONFIGURATION" == "Debug" ] ; then
  echo "Debug build, codesigning and injecting entitlements"
  signing_identity="Apple Development: YOURNAME (IDENTIFIER)"
  debug_entitlements_file_path="$SRCROOT/dext-code-path/your-dext.entitlements"
  codesign --verify --entitlements "$debug_entitlements_file_path" -f -s "$signing_identity" "$CODESIGNING_FOLDER_PATH"
fi

Don't forget to specify the entitlements file path as an input to the build step.

This worked for me on Xcode 11.5, but is now broken again in Xcode 12 beta. Does anyone have it working?

Hi Every body,

I have the approved entitlement now and I download the .provisionprofile to embed it into my dext before sign it.

Now I see this article, does it mean I can ignore this .provisionprofile during development?

Thank you so much. And DriverKit is tough!

Hi Everybody,

Any luck to get it working without entitlements? I tried on Xcode 12.2 beta 2. Set "Sign to Run Locally". SIP disabled = Xcode still prompt requires a provisioning profile...