com.apple.developer.endpoint-security.client in python executable

Does your Python executable have the hardened runtime enabled? That’s required for ES clients.

Does your Python executable use any hardened runtime exception entitlements? Those are not allowed in ES clients.

Beyond that, it’s hard to say. Normally when the system refuse to run a process it will leave a clue as to what the problem is in the system log, but that can be hard to find. If you can’t track it down, open a DTS tech support incident and I can take a look.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Thanks, Quinn!

Yes, the executable is correctly entitled, has hardened runtime and no exceptions.

Here is what I see in the console when i try to execute it from the terminal:

Code Block 
amfid 	/Library/Application Support/Path/to/executable signature not valid: -67050
kernel	proc 24873: load code signature error 4 for file “executable"
kernel	ASP: Security policy would not allow process: 24873, /Library/Application Support/Path/to/executable

And the rest is a crash report generation which contains only this:

Code Block 
Process:               executable [24873]
Path:                  /Library/Application Support/Path/*/executable
Identifier:            executable
Version:               ???
Code Type:             X86-64 (Native)
Parent Process:        ??? [24872]
Responsible:           Terminal [20782]
User ID:               0
Date/Time:             2020-10-09 19:38:06.356 -0700
OS Version:            Mac OS X 10.16 (20A5384c)
Report Version:        12
Anonymous UUID:        BE0CE7B3-DC87-D815-8080-E239397792B1
Sleep/Wake UUID:       4FC733F9-E1AF-4E83-A763-D37E3DB3757C
Time Awake Since Boot: 97000 seconds
System Integrity Protection: enabled
Crashed Thread:        Unknown
Exception Type:        EXC_CRASH (Code Signature Invalid)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY
Termination Reason:    Namespace CODESIGNING, Code 0x1
kernel messages:
Backtrace not available
Unknown thread crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x0000000000000000  rcx: 0x0000000000000000  rdx: 0x0000000000000000
  rdi: 0x0000000000000000  rsi: 0x0000000000000000  rbp: 0x0000000000000000  rsp: 0x00007ffedfe50c30
   r8: 0x0000000000000000   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000000
  r12: 0x0000000000000000  r13: 0x0000000000000000  r14: 0x0000000000000000  r15: 0x0000000000000000
  rip: 0x000000011699e000  rfl: 0x0000000000000200  cr2: 0x0000000000000000
  
Logical CPU:     0
Error Code:      0x00000000
Trap Number:     0
Unknown thread instruction stream not available.
Unknown thread last branch register state not available.
Binary images description not available
External Modification Summary:
  Calls made by other processes targeting this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by this process:
    task_for_pid: 0
    thread_create: 0
    thread_set_state: 0
  Calls made by all processes on this machine:
    task_for_pid: 6832793
    thread_create: 0
    thread_set_state: 0

I believe the following has some relevance to the issue.
The executable is built and signed using macOS 10.11 SDK with minimum supported version macOS 10.7, so the signature contains both SHA-1 and SHA-256 entries.
There are 2 processes launched from the binary, not sure how python implemented that, but the parent process might be fork()-ing itself in order to run interpreter or something like that (
Process: executable [24873]
Parent Process: ??? [24872]
Responsible: Terminal [20782]). and that's the child process is being killed.
Could that be an issue ? And if so, is there any way to make OS accept it for launch?

Any input greatly appreciated!

I have tried this on macOS 11.0 Beta 9 but the same behaviour is observed on 10.15.6 Catalina as well.

Are you trying to run this executable directly from Terminal? That won’t work, even for native code, because the process inherits a whole bunch of context from the GUI login session that Terminal is running in. An ES client must be started either as a launchd daemon or be packaged as a system extension.

In the former case, make sure to read Packaging a Daemon with a Provisioning Profile.

Frankly, I think it’d behoove you to get this working from native code first, then try adding Python into the mix.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Yes I am running it from Terminal with SIP disabled.
And if the container is written in C/C++/Obj-C, everything works.
However if the container is a compiled python tool then it doesn't even get to run anything.
It is killed on start-up!
When i removed "endpoint-security" entitlement, the python tool is running but (apparently because of the lack of the entitlement) is failing to create es_client.

Any ideas?

Yes I am running it from Terminal with SIP disabled.

This isn’t a supported approach. Your ES client must be started by the system, either as an ES sysex or as a launchd daemon. In the latter case, you need to put it in app-like packaging, per my previous post.

If your code continues to crash when started in a supported fashion, please post the resulting crash report (use the paperclip icon to attach it as a text attachment) and I’ll take a deeper look.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Quinn,

Here is the crash log for python compiled and packaged as a daemon according to your other post https://developer.apple.com/forums/thread/129596 ES client.



If I remove the endpoint-security entitlement then it loads without crash but apparently is not able to create ES client.