Hardened runtime error on System Extensions

App & System Services Drivers
nmik2020 OP
Created Aug ’20
Replies 8
Boosts 0
Views 1.6k
Participants 3
I have an app with System Extension, which I've notarized.
I've tried 2 cases :

  1. With Hardened runtime on System Extension.

  2. Without Hardened runtime on System Extension.

Once I've notarized the App Bundle, I notarize the app package both of which succeeded successfully, and Stapled correctly.

When I try to run the App with SIP enabled, I get the following error : 

Code Block  code signature validation failed fatally: When validating /Applications/AppName:
 Hardened Runtime relaxation entitlements disallowed on System Extensions


Replies  8
Boosts  0
Views  1.6k
Participants  3
DTS Engineer OP
Apple
Aug ’20
It sounds like you have hardened runtime exception entitlements set on your system extension. If you do the following, what do you see:

Code Block  
% codesign -d --entitlements :- /path/to/your.app/Contents/Library/Library/SystemExtensions/your.systemextension


Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
nmik2020 OP
Aug ’20
I don't see any of the hardened runtime entitlements. This is what I get : 
Code Block Executable=/path/to/your.app/Contents/Library/Library/SystemExtensions/your.systemextension
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>SYSTEM_EXTENSION_BUNDLE_ID</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider-systemextension</string>
	</array>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAMID</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>TEAMID.GROUP_NAME</string>
	</array>
	<key>com.apple.security.get-task-allow</key>
	<false/>
	<key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
	<array>
		<string>MACHSERVICE_NAME</string>
	</array>
</dict>
</plist>


0
DTS Engineer OP
Apple
Aug ’20

I don't see any of the hardened runtime entitlements.

Indeed. Weird. What OS version are you testing this on?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
nmik2020 OP
Aug ’20
I am running this on Catalina 10.15.6.
0
DTS Engineer OP
Apple
Aug ’20

I am running this on Catalina 10.15.6.

Yeah, I got nothing )-: You should open a DTS tech support incident so I can take a more in-depth look at how you have this set up.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
nmik2020 OP
Sep ’20
I just submitted a TSI with follow-up number : 745407154, but I didn't see the option to submit the Bundle or the crash logs. What information would you require to further look into this?
0
jiangsen OP
Sep ’21

Anything Update here? Same issue happened with my notarized pkg, which containing a host app with system extension(Both Endpoint Security and Content Fliter)

When the host app load, it will report error message:

removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Applications/XXXX.app/Contents/MacOS/XXXService: Hardened Runtime relaxation entitlements disallowed on System Extensions

0
DTS Engineer OP
Apple
Sep ’21

First, some terminology. You wrote:

When the host app load, it will report error message

I believe you mean the container app, right? As a reminder, when talking about app extensions:

  • The container app in the app in which the extension is embedded.

  • The host app is the app that’s using the extension.

We use the same terminology for system extension, although the latter doesn’t make as much sense in that context.

Second, what version of macOS are you seeing this on?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Hardened runtime error on System Extensions
First post date Last post date
 
 
Q