com.apple.developer.endpoint-security.client in python executable

I have a .dylib that is creating an endpoint security client using esnewclient() and subscribes to few events.
I linked my console app with that .dylib and given com.apple.developer.endpoint-security.client.
The console app loads fine with SIP disabled and esnewclient() is created and works successfully.

I have another console app that is an executable created with pyinstaller (compiled python code).
If I try to load/link the endpoint security client .dylib into that python-compiled app, it is killed by the system with "Invalid signature" in the crash log. I verified endpoint-security, app, group etc entitlements and they are correctly set. But the app can not launch.
I wonder if there are special requirements that python executable can not satisfy to be entitled as endpoint-security.client?

Does your Python executable have the hardened runtime enabled? That’s required for ES clients.

Does your Python executable use any hardened runtime exception entitlements? Those are not allowed in ES clients.

Beyond that, it’s hard to say. Normally when the system refuse to run a process it will leave a clue as to what the problem is in the system log, but that can be hard to find. If you can’t track it down, open a DTS tech support incident and I can take a look.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Thanks, Quinn!

Yes, the executable is correctly entitled, has hardened runtime and no exceptions.

Here is what I see in the console when i try to execute it from the terminal:

Code Block
amfid /Library/Application Support/Path/to/executable signature not valid: -67050
kernel proc 24873: load code signature error 4 for file “executable"
kernel ASP: Security policy would not allow process: 24873, /Library/Application Support/Path/to/executable

And the rest is a crash report generation which contains only this:

Code Block
Process: executable [24873]
Path: /Library/Application Support/Path/*/executable
Identifier: executable
Version: ???
Code Type: X86-64 (Native)
Parent Process: ??? [24872]
Responsible: Terminal [20782]
User ID: 0
Date/Time: 2020-10-09 19:38:06.356 -0700
OS Version: Mac OS X 10.16 (20A5384c)
Report Version: 12
Anonymous UUID: BE0CE7B3-DC87-D815-8080-E239397792B1
Sleep/Wake UUID: 4FC733F9-E1AF-4E83-A763-D37E3DB3757C
Time Awake Since Boot: 97000 seconds
System Integrity Protection: enabled
Crashed Thread: Unknown
Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x1
kernel messages:
Backtrace not available
Unknown thread crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffedfe50c30
r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x000000011699e000 rfl: 0x0000000000000200 cr2: 0x0000000000000000
Logical CPU: 0
Error Code: 0x00000000
Trap Number: 0
Unknown thread instruction stream not available.
Unknown thread last branch register state not available.
Binary images description not available
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 6832793
thread_create: 0
thread_set_state: 0


I believe the following has some relevance to the issue.
The executable is built and signed using macOS 10.11 SDK with minimum supported version macOS 10.7, so the signature contains both SHA-1 and SHA-256 entries.
There are 2 processes launched from the binary, not sure how python implemented that, but the parent process might be fork()-ing itself in order to run interpreter or something like that (
Process: executable [24873]
Parent Process: ??? [24872]
Responsible: Terminal [20782]). and that's the child process is being killed.
Could that be an issue ? And if so, is there any way to make OS accept it for launch?

Any input greatly appreciated!


I have tried this on macOS 11.0 Beta 9 but the same behaviour is observed on 10.15.6 Catalina as well.
Are you trying to run this executable directly from Terminal? That won’t work, even for native code, because the process inherits a whole bunch of context from the GUI login session that Terminal is running in. An ES client must be started either as a launchd daemon or be packaged as a system extension.

In the former case, make sure to read Packaging a Daemon with a Provisioning Profile.

Frankly, I think it’d behoove you to get this working from native code first, then try adding Python into the mix.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Yes I am running it from Terminal with SIP disabled.
And if the container is written in C/C++/Obj-C, everything works.
However if the container is a compiled python tool then it doesn't even get to run anything.
It is killed on start-up!
When i removed "endpoint-security" entitlement, the python tool is running but (apparently because of the lack of the entitlement) is failing to create es_client.

Any ideas?

Yes I am running it from Terminal with SIP disabled.

This isn’t a supported approach. Your ES client must be started by the system, either as an ES sysex or as a launchd daemon. In the latter case, you need to put it in app-like packaging, per my previous post.

If your code continues to crash when started in a supported fashion, please post the resulting crash report (use the paperclip icon to attach it as a text attachment) and I’ll take a deeper look.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Thanks Quinn,

Here is the crash log for python compiled and packaged as a daemon according to your other post https://developer.apple.com/forums/thread/129596 ES client.



If I remove the endpoint-security entitlement then it loads without crash but apparently is not able to create ES client.


com.apple.developer.endpoint-security.client in python executable
 
 
Q