Proper way to notarize app with endpoint security entitlement for SIP enabled environment

Question

Created Oct ’20

Replies 2

Boosts 0

Views 1.1k

Participants 2

Hello,

We finally got our endpoint security client entitlement from Apple so we would like to test the notarization process.
As I understand below are the required steps:

Create provisioning profile for container app with es client entitlement
Use the profile in xcode
build and sign the app with xcode
(here I am not sure) zip the app and run it through xcrun for notarization
staple the app

with the steps above, I enable SIP and try to install the system extension by getting the app in /Applications and double-clicking it.
I get the usual "Extension blocked" message, go to the settings and authorize the app.
I can see that the extension has been activated with "systemextensionsctl list" but get a crash report for the es client with code EXC_CRASH (Code Signature Invalid)
Termination reason: Namespace CODESIGNING, Code 0x1

So I am guessing the signing or notarization process is not right. My es client has a .entitlements file but I am not seeing a embedded entitlement file in the .systemextension bundle.
Should I notarize the es client as well? Or maybe the build process does not link the entitlement for my es client? In my build setting I have the correct path for "Code Signing Entitlements".

Any help would be welcomed! Thank you!

Answered by DTS Engineer in 640963022

First things first, entitlements:

The container app must have the com.apple.developer.system-extension.install entitlement. You can set this using Xcode’s Signing & Capabilities editor and automatic code signing will sort out the profile.
You ES sysex must have the com.apple.developer.endpoint-security.client. This requires manual code signing. I don’t have specific instructions for this but the general idea is outlined in the Old Process post on this thread.

As to how you notarise this, if you’re building from Xcode you can notarise from the Xcode Organizer. Whether you should do that depends on your final distribution strategy. If you distribute your app as a simple app in a zip archive, this approach is easiest. If not, it’s probably best to package and notarise your product from the command line. See my Signing a Mac Product For Distribution post for info on that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’20

Accepted Answer

First things first, entitlements:

The container app must have the com.apple.developer.system-extension.install entitlement. You can set this using Xcode’s Signing & Capabilities editor and automatic code signing will sort out the profile.
You ES sysex must have the com.apple.developer.endpoint-security.client. This requires manual code signing. I don’t have specific instructions for this but the general idea is outlined in the Old Process post on this thread.

As to how you notarise this, if you’re building from Xcode you can notarise from the Xcode Organizer. Whether you should do that depends on your final distribution strategy. If you distribute your app as a simple app in a zip archive, this approach is easiest. If not, it’s probably best to package and notarise your product from the command line. See my Signing a Mac Product For Distribution post for info on that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

gmorimoto OP

Oct ’20

Thanks Eskimo

Your answer made me realize the error was on my part. I think I started building my sysex using a driverkit template so I could not add a provisioning profile to the extension. Using the template for a network extension it worked perfectly.

0