Codesign does not set correct entitlements

Hi all,

My project consists of main application, an endpoint security extension and a findersync extension. When I try to build it in release mode, the findersync extension is getting built with entitlements of the main app and not one of its own. I am not seeing this issue for endpoint security. I am signing using a "Developer ID Application" signing identity.

When I look into the build logs I am seeing that --entitlement is used in code sign and the file which is passed as the argument also has the correct entitlement.

When I tried manually running the codesign command with the --entitlement flag, I am still unable to get the correct entitlement.

Is there any difference in the way the codesign happens for the system extension and findersync?

What changes do I need to make in order to get the correct entitlement.

Thanks in advanced

Answered by DTS Engineer in 680122022

Yes, it is manually set.

OK. This is not a setup I recommend. Developer ID signing identities are precious, and one consequence of that is that you should not be using them for day-to-day development. Rather, you should use a development signing identity (typically Apple Development) for your day-to-day development and only engage with Developer ID when you’re ready to distribute. Specifically, if your product is a self-contained app then you can distribute by creating an archive (Product > Archive) and then distributing from that archive.

If you follow this approach then you can typically enable automatic code signing, which makes everything much easier (-:

But when I went inside the SourceCode -> Build -> main.app -> Contents -> Plugins -> FinderSync , this one does not have the correct entitlement.

Honestly, I suspect that there’s some weirdness in your manual code signing setup that’s triggering this (a common cause is that folks add --deep to Other Code Signing Flags build setting [1]) and that switching over to automatic code signing (and clearing out any build setting overrides) will fix the problem. However, it’s hard to be sure without testing that. Which specific entitlement are you having problems with?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] FYI, I recommend against using --deep when signing products. See --deep Considered Harmful as to why.

I would navigate to Build Settings Tab -> Signing for each target (main app, security, findersync) and then for each Configuration (Debug, Release) compare what has been configured by Xcode, and possibly manually override what has been automatically configured.

I am signing using a "Developer ID Application" signing identity.

So, to be clear, you’ve configured each of your targets to use manual signing (Signing & Capabilities > Signing has “Automatically manage signing” off) and then manually set the Signing Certificate popup to Developer ID Application. Is that right?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

Yes, it is manually set.

OK. This is not a setup I recommend. Developer ID signing identities are precious, and one consequence of that is that you should not be using them for day-to-day development. Rather, you should use a development signing identity (typically Apple Development) for your day-to-day development and only engage with Developer ID when you’re ready to distribute. Specifically, if your product is a self-contained app then you can distribute by creating an archive (Product > Archive) and then distributing from that archive.

If you follow this approach then you can typically enable automatic code signing, which makes everything much easier (-:

But when I went inside the SourceCode -> Build -> main.app -> Contents -> Plugins -> FinderSync , this one does not have the correct entitlement.

Honestly, I suspect that there’s some weirdness in your manual code signing setup that’s triggering this (a common cause is that folks add --deep to Other Code Signing Flags build setting [1]) and that switching over to automatic code signing (and clearing out any build setting overrides) will fix the problem. However, it’s hard to be sure without testing that. Which specific entitlement are you having problems with?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] FYI, I recommend against using --deep when signing products. See --deep Considered Harmful as to why.

Codesign does not set correct entitlements
 
 
Q