ClientApp disconnect from SystemExtension when signed

hi

I developed an app that has an HID system extension, in debugging mode everything work fine, extension installed and the app connects to it and work but when I signed the app, everything was ruined, the app just can install system extension but can't connect to it

system extension entitle ment

<key>com.apple.developer.driverkit</key>
	<true/>
	<key>com.apple.developer.driverkit.family.hid.device</key>
	<true/>
	<key>com.apple.developer.driverkit.family.hid.eventservice</key>
	<true/>
	<key>com.apple.developer.driverkit.family.hid.virtual.device</key>
	<true/>
	<key>com.apple.developer.driverkit.transport.hid</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.files.user-selected.read-only</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>

app entitlement

<key>com.apple.developer.driverkit.userclient-access</key>
	<array>
		<string>com.[TeamName].[ExtensionName]</string>
	</array>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>

seems to can connect to SystemExtension com.apple.developer.driverkit.userclient-access is necessary but if I don't remove this from app entitlement the code signature will be invalid

part codes to connect to SystemExtension

static const char* dextIdentifier = "[driver bundle identifier]";
// this maybe should change to com.[TeamName].[DriverName] when app want to publish(i don't know)

softu2f_ctx *softu2f_init(softu2f_init_flags flags) {
  softu2f_ctx *ctx = NULL;
  io_service_t service = IO_OBJECT_NULL;
  io_iterator_t iterator = IO_OBJECT_NULL;
  kern_return_t ret;
  int err;

  // Find driver.
  ret = IOServiceGetMatchingServices(kIOMasterPortDefault, IOServiceNameMatching(dextIdentifier), &iterator);
    
    if (ret != kIOReturnSuccess)
    {
        syslog(LOG_WARNING, "u2f: cant find services");
        goto fail;
    }
    
    while ((service = IOIteratorNext(iterator)) != IO_OBJECT_NULL) {
        ret = IOServiceOpen(service, mach_task_self(), 0, &ctx->con);
        
        if(ret != kIOReturnSuccess)
        {
            syslog(LOG_WARNING, "u2f: cant open service");
            break;
        }
        else{
            syslog(LOG_WARNING, "u2f: opened service");
        }
        
        IOObjectRelease(service);
    }

Note: when the app was signed the iterator was been 0 (and should not be)

Note: the entitlement about DriverKit was granted (maybe the problem is userclient-access not granted)

Up vote post of MasoudHeidary Down vote post of MasoudHeidary
455 views
Posted by
MasoudHeidary
Reply

  • my SPI is disabled and of course, we have DriverKit license

    MasoudHeidary
Add a Comment