Endpoint security client crash with SIP enabled

Code Signing Entitlements
gmorimoto OP
Created Jul ’20
Replies 9
Boosts 0
Views 1.9k
Participants 3
Hi,
I am developing an application based on Endpoint Security System Extension.
The application works fine with SIP disabled but when I enable SIP, the extension crashes with:
Exception Type: EXC_CRASH (Code Signature Invalid).

However, when checking the code signature with "codesign -vvv --strict --deep mySystemextension/myBinary" there is no issues with the codeSigning.
The app, systemextension and extension binary are all signed with Developer ID which was granted System Extension capability by Apple.
I can register the extension with my app with no issues but when launchd tries to launch my extension, it crashes with the above mentioned error code.

Does anyone has an idea on how I could resolve this issue?
Thanks
Replies  9
Boosts  0
Views  1.9k
Participants  3
gmorimoto OP
Jul ’20
I think I got something, the system extension is missing the embedded provisioning profile with the "com.apple.developer.endpoint-security.client" entitlements. The app has a provisioning profile that was created from the developer portal with the system extension capability. Should I make a provisioning profile for the extension? I am not sure how to add the embedded profile to the extension.
Any help would be greatly appreciated.
0
DTS Engineer OP
Apple
Jul ’20

Should I make a provisioning profile for the extension?

Yes.

I am not sure how to add the embedded profile to the extension.

Are you building this with Xcode?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
gmorimoto OP
Jul ’20
Hi,

Yes I am using Xcode. My project has:
  • the app in which I include the .systemextension using the "building phase" setting "copy files" tab.
- the system extension in which I include a binary executable (the ES client) in the same way as above (changing destination from extension to executable).
  • the ES client executable.
The app has a provisioning profile with I think all the correct entitlements and capabilities.
I am not sure how to add a profile to the executable or systemextension as the "Signing & Capabilities" tab show "None Required" for the provisioning profile.

Thank for your help.
0
gmorimoto OP
Jul ’20
Okay, so I replace my system extension with a new one that I create from the NetworkExtension template. I was able to provide a provisioning profile. Now it can run with SIP enabled.
The issue I have now is that I can only add the endpoint security entitlement to "Mac development" profiles and not to "Developer ID" profiles. The "additional entitlements" page does not show when creating a "Developer ID" profile.

Is this expected ? How can I distribute my app if I can't sign it with my Developer ID. Did I miss something when making the endpoint security entitlement request?
Thanks for your help.

0
DTS Engineer OP
Apple
Jul ’20

The "additional entitlements" page does not show when creating a "Developer ID" profile.

Hmm, that’s not good. When you were granted access to this entitlement you should have received an email confirming that fact. Reply to that email, explaining the problem and requesting that the folks responsible correct it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
gmorimoto OP
Jul ’20
To be sure we are on the same page, the "additional entitlements" page shows up for "Mac development" profile, but not for "Developer ID" profile.
You are saying that this should not be the case if I was granted the Endpoint Security Entitlement? I have the confirmation email and there is a follow up number, I will use that to contact the support.

Thank you
0
DTS Engineer OP
Apple
Jul ’20

You are saying that this should not be the case if I was granted the Endpoint Security Entitlement?

Correct. Currently ES clients are not distributable via the Mac App Store, and thus it makes no sense to be granted access to the entitlement but not have it show up for Developer ID profiles.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
mkado OP
Jul ’20
Maybe I was not clear in my explanation.
When creating a new profile, I have several option that are grouped in "Development" and "Distribution".
When I choose "macOS App Development" from the "development" group, the "additional entitlements" page shows up.
When I choose "Developer ID" from the "distribution" group, the "additional entitlements" page does not show up.

Is it still an unexpected behavior? In the e-mail I received, it mentions

Your request to use Endpoint Security was approved for development. When creating a new development provisioning profile in Certificates, Identifiers & Profiles, you’ll see a template containing Endpoint Security entitlements.

So I was wondering, maybe I was only granted entitlement for development? Is that not the normal process? If you can confirm that I will send the reply to the email to ask for full permission.
0
gmorimoto OP
Jul ’20
Sorry, I forgot this computer was logged in with another team member account. The message above is also from me.
0
Endpoint security client crash with SIP enabled
First post date Last post date
 
 
Q