Developer ID signed app, system extension, mono with JIT

Are you sure the entitlement is only set on the parent app? I’ve seen a lot of folks sign with --deep, which causes the entitlement to be set on all nested code (one of the reasons that --deep Considered Harmful).

You should dump the entitlements on the built sysex, that is:

Code Block  
% codesign -d -entitlements /Applications/Your.app/Contents/Library/SystemExtensions/your.systemextension

to confirm that it’s not set on the sysex.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

I don't think I'm code signing with --deep. My build process is to use xcode to build the system extension, letting xcode sign it, use visual studio to build the main C# app, copy the extension into the right place, and then let visual studio sign the main app.

As far as I can tell that results in a set of commands that looks like:

Code Block 
# produced by xcode
/usr/bin/codesign --force --sign <redacted> --timestamp -o runtime --entitlements "path/to/extension/entitlements" --requirements <a bunch of stuff xcode generated looking for my team ID in certs?> "path/to/systemextension
# produced by visual studio
/usr/bin/codesign -v --force --timestamp --sign <redacted> "path/to/library1.dylib"
/usr/bin/codesign -v --force --timestamp --sign <redacted> "path/to/library2.dylib"
...
/usr/bin/codesign -v --force -o runtime --timestamp --sign <redacted> --entitlements "path/to/app/entitlements" "path/to/app"

I don't see a codesign invocation that uses --deep, outside of a verify produced automatically by visual studio:

Code Block 
/usr/bin/codesign --verify -vvvv --deep "path/to/app"
path/to/my.app: valid on disk
path/to/my.app: satisfies its Designated Requirement

Checking the main app with:

Code Block 
codesign -d --entitlements :- /path/to/main/app

yields:

Code Block 
Executable=/path/to/main/app
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>TEAM_ID.APP_ID</string>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAM_ID</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider-systemextension</string>
	</array>
	<key>com.apple.developer.networking.vpn.api</key>
	<array>
		<string>allow-vpn</string>
	</array>
	<key>com.apple.security.cs.allow-jit</key>
	<true/>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<false/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>TEAM_ID.group.GROUP_ID</string>
	</array>
	<key>com.apple.security.files.user-selected.read-only</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
</dict>
</plist>

And the extension inside:

Code Block 
codesign -d --entitlements :- /path/to/main/app/Contents/Library/SystemExtensions/app.id.myextension.systemextension/

yields:

Code Block 
Executable=/path/to/main/app/Contents/Library/SystemExtensions/app.id.myextension.systemextension/
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>TEAM_ID.EXTENSION_APP_ID</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider-systemextension</string>
	</array>
	<key>com.apple.developer.networking.vpn.api</key>
	<array>
		<string>allow-vpn</string>
	</array>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAM_ID</string>
	<key>com.apple.security.app-sandbox</key>
	<false/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>TEAM_ID.group.GROUP_ID</string>
	</array>
	<key>com.apple.security.files.user-selected.read-only</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
</dict>
</plist>

Going by this, com.apple.security.cs.allow-jit only shows up on the main app.

Running this app yields:

Code Block 
default	09:57:12.989932-0400	kernel	mac_vnode_check_signature: /path/to/main/app: code signature validation failed fatally: When validating /path/to/main/app:
  Hardened Runtime relaxation entitlements disallowed on System Extensions
default	09:57:12.990005-0400	kernel	proc 4177: load code signature error 4 for file "MyApp"
default	09:57:12.991868-0400	kernel	Security policy would not allow process: 4177, /path/to/main/app

Going by this, com.apple.security.cs.allow-jit only shows up on the
main app.

Indeed.

I was talking with another developer about exactly this issue today. It turns out that this is the result of a specific security check in the system. com.apple.developer.networking.networkextension is on a list of entitlements that are used by system extensions and com.apple.security.cs.allow-jit is on a list of entitlements not allowed in system extensions, and your app happens to have both. IMO this check makes sense in the context of the sysex itself but it doesn’t make sense in the context of an app, and it sounds like you agree (-:

Given that you have a good reason to be using com.apple.security.cs.allow-jit in your main app, I think it’s bug report time. Please post your bug number, just for the record.

As to how you can work around this, I don’t see any good options )-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the assistance, eskimo.

I've submitted a bug report via feedback assistant, FB8625465.

Hi @jeffrey256 ,
any news for your feedback assistant?
I'm in the same situation