Unsatisfied Entitlements

Code Signing Entitlements
mtnview OP
Created Mar ’22
Replies 3
Boosts 0
Views 1.2k
Participants 2

Hi. I have a problem with launching a notarized app on Catalina. Here is the dump of each command.

security cms -D -i ./foo.app/Contents/embedded.provisionprofile

        <key>Entitlements</key>
        <dict>

                                <key>com.apple.developer.system-extension.install</key>
                <true/>

                                <key>com.apple.developer.networking.networkextension</key>
                <array>
                                <string>app-proxy-provider</string>
                                <string>content-filter-provider</string>
                                <string>packet-tunnel-provider</string>
                                <string>dns-proxy</string>
                                <string>dns-settings</string>
                </array>

                                <key>com.apple.application-identifier</key>
                <string>69Q4FM6AL9.com.foo.foo-ven.filter</string>

                                <key>keychain-access-groups</key>
                <array>
                                <string>69Q4FM6AL9.*</string>
                </array>

                                <key>com.apple.developer.team-identifier</key>
                <string>69Q4FM6AL9</string>

        </dict>
        <key>ExpirationDate</key>
        <date>2023-03-17T17:17:19Z</date>
        <key>Name</key>
        <string>Mac Team Provisioning Profile: com.foo.foo-ven.filter</string>
        <key>ProvisionedDevices</key>
        <array>
                <string>2B599D97-8FEF-5882-A14B-F1DF26B8D5D7</string>
                <string>564D6794-6B4B-1320-D0BB-3E45014AF41C</string>
                <string>564D82E8-7BE0-078D-5B15-BCA5E143D1C9</string>
                <string>09782725-2944-5F56-BC1B-EE723365C425</string>
                <string>564DCBDB-1406-AE9A-4ADE-F33897B06F77</string>
                <string>87E06DD6-94FC-5268-91E6-35488508A0F7</string>
                <string>271B625C-75A3-5435-8C15-2163E942A995</string>
        </array>
        <key>TeamIdentifier</key>
        <array>
                <string>69Q4FM6AL9</string>
        </array>
        <key>TeamName</key>
        <string>foo, Inc.</string>
        <key>TimeToLive</key>
        <integer>365</integer>
        <key>UUID</key>
        <string>bd08aec0-c92e-420e-8414-a2191d228fdc</string>
        <key>Version</key>
        <integer>1</integer>
</dict>

codesign -d --entitlements :- ./foo.app

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.application-identifier</key>
        <string>69Q4FM6AL9.com.foo.foo-ven.filter</string>
        <key>com.apple.developer.networking.networkextension</key>
        <array>
                <string>content-filter-provider</string>
        </array>
        <key>com.apple.developer.system-extension.install</key>
        <true/>
        <key>com.apple.developer.team-identifier</key>
        <string>69Q4FM6AL9</string>
        <key>com.apple.security.app-sandbox</key>
        <true/>
        <key>com.apple.security.application-groups</key>
        <array>
                <string>69Q4FM6AL9.group.com.foo.foo_ven.filter_data</string>
        </array>
        <key>com.apple.security.files.user-selected.read-only</key>
        <true/>
</dict>

Can you help me out to figure out why my app is failing to run due to

removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Applications/fooVenFilter.app/Contents/MacOS/fooVenFilter:
      Code has restricted entitlements, but the validation of its code signature failed.
    Unsatisfied Entitlements:
Replies  3
Boosts  0
Views  1.2k
Participants  2
DTS Engineer OP
Apple
Mar ’22

Based on this and your other thread, did you start with a working content filter provider appex and are trying to get it running as a sysex? Or is this a new content filter provider?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
mtnview OP
Mar ’22

This is the entitlement that is being added by Xcode when I check network extension + Content Filter. I reverse engineered other products and it turns out what I need is content-filter-providersystemextension entitlement which I have to make change manually. LOL

0
DTS Engineer OP
Apple
Mar ’22

This is the entitlement that is being added by Xcode when I check network extension + Content Filter.

Right. The NE slice in Signing & Capabilities only knows about the appex variant of these entitlements. I encourage you to file a bug requesting that we update it to support the sysex variants as well.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Unsatisfied Entitlements
First post date Last post date
 
 
Q