driverkit installation app fails with code signature error

Problems like this are most commonly cause by entitlement issues. Every constrained entitlement claimed by your app must be allowlisted by the provisioning profile. You should dump the entitlements claimed by your app:

Code Block  
% codesign -d -vvv --entitlements :- /path/to/your.app

and the entitlements allowed listed by the profile:

Code Block  
% security cms -D -i /path/to/your.app/Contents/embedded.provisionprofile

and check that things line up. Then do the same thing for the DriverKit sysex embedded within your app.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

HI Quinn
thank you for your reply. Indeed there are some differences.
The entitlements file has the following entries which are not in the profile
com.apple.security.app-sandbox (true)
com.apple.security.files.user-selected.read-only (true)
com.apple.security.get-task-allow (true)
the app-sandbox and files entries aren't explicitly set by me, the project template put them there.
the get-task-allow is from Xcode because this is a debug build (and I would like to be able to build it). This would be automatically removed if I were to notarize the app, but I'm not doing that because I have SIP turned off.

I think the problem is that my profile contains this:
<key>com.apple.developer.driverkit.transport.usb</key>
<array>
<dict>

<key>idVendor</key>
<integer>our-vendor-id</integer>
</dict>
</array>

while my entitlements file contains:

<key>com.apple.developer.driverkit.transport.usb</key>
<array>
<dict>
<key>idProduct</key>
<integer>someone-elses-product-id</integer>
<key>idVendor</key>
<integer>someone-else-vendor-id</integer>
</dict>
</array>

because I wanted to try something out on another vendor's hardware before committing resources to our own development.

Is this the problem? I can only mess with our own products?

How can I do this kind of experimentation, or is it verboten? What if I don't have a profile with a driver kit entitlement at all, I just want to try things out on my own Mac?

thanks for you help!
Stuart

FYI, the com.apple.security.{app-sandbox,files.user-selected.read-only,get-task-allow} entitlements are not constrained. Any app can use them without them being explicitly allowlisted by the profile.

Is this the problem?

I expect so. If you switch to your vendor ID does your code load?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

sadly, no, changing the idVendor value in the app entitlement to match that in the profile doesn't enable the app to launch. :(

changing the idVendor value in the app entitlement to match that in the profile doesn't enable the app to launch

Bummer.

At this point I’m out of ideas. I recommend that you open a DTS tech support incident so that we can investigate your issue in depth.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"