Termination Reason: CODESIGNING (provisioning profile without Xcode)

Hi,

I've recently successfully signed and notarized my application. My application is written in Python so I am unable to to use the Xcode workflow and instead use Pyinstaller to package followed by the codesign command:

codesign --deep --force --options=runtime --entitlements entitlements.plist --sign developer-id-hash --timestamp network_visualizer.app

Everything works using this entitlements file when signing according to Pyinstallers specifications:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.security.cs.allow-jit</key>
	<true/>
	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
	<true/>
	<key>com.apple.security.cs.disable-library-validation</key>
	<true/>
</dict>
</plist>

Now, an issue occurs (even though I can sign, notarize, and distribute my application) I am losing a critical function which is opening up a network interface for sniffing traffic (pcapy open_live function). It works on my M1 Macbook when downloaded from the Internet, but not on a friends Intel Macbook -- same MacOS Monterey. I figure it has something to do with requiring elevated permissions so I assume that I should add additional entitlements when code signing. After some investigation I decide to try to add these additional entitlements:

<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider</string>
		<string>app-proxy-provider</string>
		<string>content-filter-provider</string>
	</array>

Before I can even test this, my app fails execution with Termination Reason: CODESIGNING. I then proceed to create a provisional profile through the developer.apple.com website. I successfully download and install this provisioning profile and include a copy in the app directory:

network_visualizer.app/Content/embedded.provisionprofile

The provisoning profile has the networkextension enabled and is correctly recognized using a dummy app built in Xcode. How do I get codesign to recognize the provisioning profiile when signing?