Endpoint security extension installing but getting binary is improperly signed error

Question

Created Mar ’21

Replies 5

Boosts 0

Views 1k

Participants 3

Hi,
I have been trying to use the end point security extension. I am trying to build this through Xcode and build is successful. But when I install it the end point extension is throwing error saying that the binary is improperly signed.

I am doing this in a developer environment, SIP is off and developer mode is on.

I am able to see the system extension present when I run systemextension list.

The provisional profile also contains the necessary entitlements.

Error seen in system.log:

removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Library/SystemExtensions/***

Code has restricted entitlements, but the validation of its code signature failed.

Unsatisfied Entitlements:

Binary is improperly signed.

Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’21

Have you been granted access to the com.apple.developer.endpoint-security.client special entitlement?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

PreethamTK OP

Mar ’21

Yes, I have been granted access.

0

Answer 3

DTS Engineer OP

Apple

Mar ’21

Yes, I have been granted access.

Hmmm. That suggests that you’ve not applied the entitlement correctly. Run these commands:

Code Block  % codesign -v -vvv --deep /path/to/your/container.app
% codesign -d --entitlements :- /path/to/your/container.app
% security cms -D -i /path/to/your/container.app/Contents/embedded.provisionprofile
% codesign -d --entitlements :- /path/to/your/container.app/Contents/Library/SystemExtensions/your.systemextension
% security cms -D -i /path/to/your/container.app/Library/Contents/SystemExtensions/your.systemextension/Contents/embedded.provisionprofile

The goal is to check that:

Your code is correctly signed.
Every entitlement claimed by your code signature is in the allowlist within the provisioning profile.
For both the app and the sysex.
Your app has the com.apple.developer.system-extension.install entitlement.
Your sysex has the com.apple.developer.endpoint-security.client entitlement.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

josharian OP

Mar ’21

I'm seeing the same thing as the OP. I ran the commands from Quinn (thank you!) and it appears that the sysex is missing the com.apple.developer.endpoint-security.client entitlement in its embedded.provisionprofile. At least, it isn't present in the Entitlements section. How would I go about fixing that? Thanks!

0

Answer 5

DTS Engineer OP

Apple

Mar ’21

You need to rebuild the profile to add that entitlement to its allowlist. How you do that depends on whether the ES folks are using the new or old process for special entitlements. See this thread for a discussion of those two processes and how you use them.

IMPORTANT That thread discusses the multicast special entitlement specifically, but the overall process is the same for most other special entitlements.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0