Code has restricted entitlements, but the validation of its code signature failed.

What entitlements do you have on your dext? What entitlements are included in the provisioning profile that you are signing it with? Do the two match?

Please refer to the detailed response.

system error log:

May 28 21:16:02 xianxianmeishizuode-MacBook-Pro com.apple.xpc.launchd[1] (com.apple.mdworker.shared.0B000000-0700-0000-0000-000000000000[1319]): Service exited due to SIGKILL | sent by mds[91]
May 28 21:16:06 xianxianmeishizuode-MacBook-Pro com.apple.xpc.launchd[1] (com.apple.null.driver-0x100001311[1359]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Library/SystemExtensions/7E4D2C05-E24F-430D-9048-DBFB508BBEE5/com.etandt.dk1.dext/com.etandt.dk1:
	  Code has restricted entitlements, but the validation of its code signature failed.
	Unsatisfied Entitlements: 
May 28 21:16:06 xianxianmeishizuode-MacBook-Pro com.apple.xpc.launchd[1] (com.apple.null.driver-0x100001311[1359]): Binary is improperly signed.

entitlements dext:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.driverkit.transport.usb</key>
	<true/>
	<key>com.apple.security.device.usb</key>
	<true/>
	<key>com.apple.developer.driverkit</key>
	<true/>
	<key>com.apple.developer.driverkit.transport.hid</key>
	<true/>
	<key>com.apple.developer.driverkit.family.hid.device</key>
	<true/>
	<key>com.apple.developer.driverkit.family.hid.eventservice</key>
	<true/>
	<key>idVendor</key>
	<integer>1636</integer>
</dict>
</plist>

Provisioning Profile Enabled Capabilities DriverKit USB Transport - VendorID, In-App Purchase

You need to match your entitlements to your provisioning profile. First, check the contents of your provisioning profile with something like security cms -D -i my.provisionprofile. That will show you the exact entitlements you have been granted under the Entitlements key. For the entitlements you've listed for your provisioning profile, it will likely look something like this:

<key>Entitlements</key>
<dict>
	<key>com.apple.developer.driverkit</key>
	<true/>
	<key>com.apple.developer.driverkit.transport.usb</key>
	<array>
		<dict>
			<key>idVendor</key>
			<integer>1234</integer>
		</dict>
	</array>
	<true/>
	<!-- More Team/Identifier Keys -->
</dict>

If you also have HID entitlements, you might also need to add those. But you can only use entitlements included in that list in the provisioning profile. Your dext's entitlements must match or be a subset of the entitlements in your provisioning profile. It cannot include any entitlements not in that provisioning profile.

Of the entitlements you've listed in your dext, there are a couple concerns:

1. com.apple.security.device.usb isn't used for dexts. That will cause your code signing to be rejected.
2. The way you've assigned your vendor ID is incorrect and needs to be formatted just as it is in your provisioning profile. Refer to the previous code block for an example of the layout.

Note that if you are matching on a HID-based device or interface, you do not need a USB vendor ID entitlement. More detail on matching to USB/HID devices can be found here: https://developer.apple.com/news/?id=zk5xdwbn

You might also find valuable information in this article on DriverKit signing: https://developer.apple.com/news/?id=c63qcok4