Application killed after entitled signature

There is a lot to unpack here but it may be good for you to open a TSI so either myself or Quinn can look at your app bundle or executable.

codesign --deep *

Do not use the --deep flag here, see this post for more information on why.

Regarding:

1/ How to know why my player is killed (an error code, message, ...)

This is usually a matter of rummaging around on the Console for clues or crash logs on what is happening.

Regarding:

2/ Do I use correctly entitlements which seem being the problem - Is entitlement file ok ? - Do I install entitlements file somewhere specific (In my mind it is useless after the signature) ?

Typically your entitlements file would live in Xcode, but since it looks like you are building and signing outside of Xcode you can include the --entitlements argument with a reference to the file as you are on the Terminal. Now, whether you are using the entitlements correctly is a whole different story and is most likely the source of your problem. Entitlement usage depends on what your app does and what it needs to function. For example, one thing that sticks out to me is you mentioned that your app plays a stream, so it may need the Network entitlements if the stream is consumed from the network:

<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>

Typically, an app would only use the client unless there is a good reason the server is entitlement is needed too.

Regarding:

3/ Perhaps entitlements I want to use have some environment constraints or prerequesites ? If so where I can find them ?

This is a vast question and goes back to what kind of functionality your app contains. This may be best handled in a TSI. Otherwise a good place to cross reference the available capabilities/entitlements for a macOS app is in Xcode by clicking on the + Capability button and just looking at the capabilities available and cross referencing them with your apps functionality.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

I agree with Matt here: It’s probably best if you open a DTS tech support incident so that we can help you one-on-one. Still, there’s a few points I’d like to make before you do that:

• Most entitlement problems like this are caused by restricted entitlements, that is, those that need to be authorised by a provisioning profile. That’s not the case here, where both the entitlements you’re using can be used by anyone at any time.

• Given that, the next most common cause of problems like this is a malformed .entitlements file. I recommend that you canonicalise it using plutil, as described in the Ensure Properly Formatted Entitlements section of Resolving Common Notarization Issues.

If this doesn’t help, open a TSI and we’ll pick thing up there.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi,

I would like to thank a lot Matt. Sorry to not reply before, but I would be sure of the solution. I did two points to sign my application:

First point, as you mentioned Matt, I removed "--deep" parameter, but that wasn't sufficient for my issue. Second point I used your format for my entitlement file. To be more accurate, my new entitlement file is :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>

With this two points my application runs !!

Thanks a lot Matt for your quick and good answer.

With this two points my application runs !! Thanks a lot Matt for your quick and good answer.

No problem at all, glad to help.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com