Code validation fails on stand-alone executable due to restricted entitlements

Question

Created Mar ’22

Replies 8

Boosts 0

Views 2.3k

Participants 3

I have a stand-alone executable that has the endpoint-security entitlement. It has taken a bit to get this signed because it's build using a makefile and clang++, not using xcode.

I have copied this executable to another mac, and try to run it, but it is getting disallowed because "no eligible provisioning profiles found"

sh-3.2# codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' ./protect_am
./protect_am: valid on disk
./protect_am: satisfies its Designated Requirement
test-requirement: code failed to satisfy specified code requirement(s)

So this seems to indicate it is missing the provisioning profile.

The signing seems correct:

sh-3.2# codesign -d --entitlements :- ./protect_am
Executable=/Library/Application Support/Fidelis/Endpoint/Platform/services/protect/protect_am
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>com.apple.application-identifier</key>
        <string>AM********.******.protect-am</string>
        <key>com.apple.developer.endpoint-security.client</key>
        <true/>
        <key>com.apple.developer.team-identifier</key>
        <string>AM********</string>
        <key>com.apple.security.cs.allow-jit</key>
        <true/>
</dict>
</plist>

I have no idea how to get this to run. What am I missing?

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’22

This is exactly the case covered by Signing a Daemon with a Restricted Entitlement.

it's build using a makefile and clang++

Yep. To quote the end af that doc:

Or, if youʼre using an alternative build system, like a makefile, update it to create a structure that matches the one created by Xcode.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

Mar ’22

are you saying that I need to change the way the files are stored on the target system?

Yes. For your daemon to use a restricted entitlement the entitlement must be authorised by a profile, and the only way for the system to find that profile is for you to embed your daemon in an app-like wrapper.

How do I create this provisionprofile if I'm not using xcode?

Using the developer web site.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 3

Darrilla OP

Mar ’22

I have created and downloaded several profiles, but XCode always complains that the profile does not include the signing certificate! Not sure what I'm doing wrong. I have the signing cert and private key in my keychain. What am I missing?

0

Answer 4

DTS Engineer OP

Apple

Mar ’22

Hmmm, I thought you were working outside of Xcode, so I’m not sure how Xcode comes into this. Having said that, it’s quite possible that Xcode is saving you from further confusion down the line.

I recommend that you read my What exactly is a provisioning profile? post. It has a bunch of background about profiles that you’ll find useful, and it also shows how to determine which signing identities are covered by a given profile.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 5

DTS Engineer OP

Apple

Mar ’22

Part of the requirement for endpoint security is that I need to notarize the application. To do this, I am trying to create an archive and submit for validation.

OK.

Normally this is something I’d wholeheartedly recommend: Prototype in Xcode and then use those results to guide your work outside of Xcode. In this case, however, I think you’re hitting a gnarly bug related to the recently-introduce Cloud Signing feature (r. 90026719).

If you go to Developer > Account > Certificates, Identifiers & Profiles > Certificates, do you see one entry labelled Developer ID Application and a second entry labelled Developer ID Application Managed?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

DTS Engineer OP

Apple

Apr ’22

Having multiple Developer ID Application certificates is a concern — see my posts on this thread for the details — but it’s not the cause of this issue. Rather, the issue you’re seeing is caused by the presence of both Developer ID Application and Developer ID Application Managed. This triggers a bug (r. 90026719) in… well… it’s still debatable as to exactly what’s causing this bug… but the end result is that Xcode uses your Developer ID Application signing identity to sign your code but then ends up with a provisioning profile that only lists your Developer ID Application Managed certificate O-:

On the plus side, Xcode detects this problem, and hence the error you’re seeing. Without that the code would fail to launch, which is much harder to debug.

On the minus side, the workaround means switching to manual code signing, something that I try to avoid wherever possible.

Anyway, to work around this:

Start an upload or export from the Xcode organiser as you did before.
When you get to the re-sign step, choose “Manually manage signing” and click Next.
Makes sure your team is correct.
Select the right Developer ID Application signing identity in the (poorly named) “Distribution certificate” popup.
Select a provisioning profile for each code item that needs one.
Click Next.
Continue with the upload or export.

If in step 5, an appropriate profile isn’t available:

Create one in Developer > Account > Certificates, Identifiers & Profiles > Profiles. During that process, make sure to select the Developer ID Application certificate that matches the signing identity you chose in step 4 above.
Download it.
Drop it on to Xcode to ingest it.
Select it in the popup.

Note that, in your case, creating these profiles wasted work because you’ll need them to embed in your real product as part of the distribution process that you build on top of your existing makefile build infrastructure.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 7

impete OP

Sep ’22

Hi Quinn!

I've just experienced this with Xcode Version 13.4.1 (13F100) ...

... just to say it is a pain to deal with, is an understatement! Though I really thank you for your information above.

I really don't understand exactly what I might have done to confuse the system, or indeed why the Xcode developers haven't been able to fix things?

Pete

0

Answer 8

DTS Engineer OP

Apple

Feb ’23

Earlier I wrote:

This triggers a bug (r. 90026719) in… well… it’s still debatable as to exactly what’s causing this bug

The blame eventually landed on Xcode and I’ve just verified the fix in Xcode 14.3b1. Yay!

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0