CoreMedia I/O Camera Extension Installation Error (Invalid Signature)

Hi!

I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift):

    func requestActivation() {
        guard case .idle = status
        else { fatalError("Invalid state") }

        print("Requesting activation of extension \"\(extensionIdentifier)\"")
        let req = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifier, queue: DispatchQueue.main)
        req.delegate = self

        OSSystemExtensionManager.shared.submitRequest(req)

        status = .requested
    }

I'm getting an error:

OSSystemExtensionErrorDomain error 8: Code Signature Invalid

which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out?

I'm posting here entitlements and codesign output for my extension and containing application for further information.

kdg@admins-Mac-mini SystemExtensions % codesign -d --entitlements - ./com.visicom.VirtualCamera.avextension.systemextension 
Executable=/Applications/VirtualCamera.app/Contents/Library/SystemExtensions/com.visicom.VirtualCamera.avextension.systemextension/Contents/MacOS/com.visicom.VirtualCamera.avextension
[Dict]
	[Key] com.apple.security.app-sandbox
	[Value]
		[Bool] true
	[Key] com.apple.security.application-groups
	[Value]
		[Array]
			[String] 6SUWV7QQBJ.com.visicom.VirtualCamera
kdg@admins-Mac-mini /Applications % codesign -d --entitlements - ./VirtualCamera.app                                    
Executable=/Applications/VirtualCamera.app/Contents/MacOS/VirtualCamera
[Dict]
	[Key] com.apple.developer.system-extension.install
	[Value]
		[Bool] true
	[Key] com.apple.security.app-sandbox
	[Value]
		[Bool] true
	[Key] com.apple.security.application-groups
	[Value]
		[Array]
			[String] 6SUWV7QQBJ.com.visicom.VirtualCamera
	[Key] com.apple.security.files.user-selected.read-only
	[Value]
		[Bool] true
kdg@admins-Mac-mini SystemExtensions % codesign -dvvv ./com.visicom.VirtualCamera.avextension.systemextension 
Executable=/Applications/VirtualCamera.app/Contents/Library/SystemExtensions/com.visicom.VirtualCamera.avextension.systemextension/Contents/MacOS/com.visicom.VirtualCamera.avextension
Identifier=com.visicom.VirtualCamera.avextension
Format=bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1553 flags=0x10700(hard,kill,expires,runtime) hashes=37+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=25bd80657bfd6e0ab95467146c7b532817e9e520
CandidateCDHashFull sha256=25bd80657bfd6e0ab95467146c7b532817e9e5209fd50b0cb7ceef40dcfb40e8
Hash choices=sha256
CMSDigest=25bd80657bfd6e0ab95467146c7b532817e9e5209fd50b0cb7ceef40dcfb40e8
CMSDigestType=2
CDHash=25bd80657bfd6e0ab95467146c7b532817e9e520
Signature size=9006
Authority=Developer ID Application: Visicom Media Inc. (6SUWV7QQBJ)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=7 Jul 2022, 21:49:32
Info.plist entries=23
TeamIdentifier=6SUWV7QQBJ
Runtime Version=12.3.0
Sealed Resources version=2 rules=13 files=0
Internal requirements count=1 size=200
kdg@admins-Mac-mini /Applications % codesign -dvvv ./VirtualCamera.app 
Executable=/Applications/VirtualCamera.app/Contents/MacOS/VirtualCamera
Identifier=com.visicom.VirtualCamera
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1989 flags=0x10700(hard,kill,expires,runtime) hashes=51+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=31e15fbbd436a67a20c5b58c597d8a4796a67720
CandidateCDHashFull sha256=31e15fbbd436a67a20c5b58c597d8a4796a6772020308fb69f4ee80b4e32788b
Hash choices=sha256
CMSDigest=31e15fbbd436a67a20c5b58c597d8a4796a6772020308fb69f4ee80b4e32788b
CMSDigestType=2
CDHash=31e15fbbd436a67a20c5b58c597d8a4796a67720
Signature size=9006
Authority=Developer ID Application: Visicom Media Inc. (6SUWV7QQBJ)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=7 Jul 2022, 21:58:09
Info.plist entries=20
TeamIdentifier=6SUWV7QQBJ
Runtime Version=12.3.0
Sealed Resources version=2 rules=13 files=4
Internal requirements count=1 size=188

Thanks in advance!

Any ideas? Please help!

Did you notarise your app?

You are signing your app with Developer ID. System extensions signed with Developer ID must be notarised before they’ll load [1]. That’s one of many reasons [2] why it’s better to use Apple Development for day-to-day development, and reserve Developer ID for products you intend to distribute.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Assuming you have SIP enabled.

[2] For more about this, see my posts on this thread.

Thank you for reply, Quinn!

Yes, the app was not notarized, but after I notarized it, Camera Extension was successfully installed. So the problem is solved.

It's useful to know this difference between Developer ID and Apple Development certificates. I didn't find this information in Apple docs, perhaps, I didn't look carefully enough.

While we are here, may I ask another related question? If I don't include Provisioning Profile into the app bundle (which contains Camera Extension inside), I get an error "Application can't be opened" when I try to launch the application under macOS 12.4. The crash report is generated, which contains the following basic information (may post a complete report if needed):

Exception Type:  EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note:  EXC_CORPSE_NOTIFY
Termination Reason: CODESIGNING 1 

Highlighted by Thread:  0

Backtrace not available

No thread state (register information) available

Binary Images:
Binary images description not available

Error Formulating Crash Report:
_dyld_process_info_create failed with 6
dyld_process_snapshot_get_shared_cache failed
Failed to create CSSymbolicatorRef - corpse still valid ¯\_(ツ)_/¯
thread_get_state(PAGEIN) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(EXCEPTION) returned 0x10000003: (ipc/send) invalid destination port
thread_get_state(FLAVOR) returned 0x10000003: (ipc/send) invalid destination port

EOF

However, if I put embedded.provisionprofile into the bundle or install it locally, the app is launched and Camera Extension is successfully installed.

So the question is why the provisioning profile is necessary here? Note that this is only for the application that contains and installs Camera Extension, otherwise it's not needed. Also is there any way to achieve the same without embedding the provisioning profile?

So the question is why the provisioning profile is necessary here?

On platforms other than the Mac, a provisioning profile is needed to authorise the execution of any third-party code. On the Mac it’s only needed if the code uses restricted entitlements. See TN3125 Inside Code Signing: Provisioning Profiles for a definition of that term.

In the case of the CMIO extension’s container app, it needs to claim the com.apple.developer.system-extension.install entitlement, which is restricted, which requires an embedded profile to authorise it.

The crash report is generated, which contains the following basic information

If you’re curious about this and other trusted execution failures, see my Resolving Trusted Execution Problems cluster of posts.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo, OK, thank you for good explanation.

Hi @kdg82 ,

Have you had any success in your issue?

I am also getting the same issue as you mention.

Please help.

If you are having trouble getting your Camera Extension app to notarize with a Developer ID certificate, then follow the instructions in this excellent post from Quinn "The Eskimo".

Doing what the Eskimo said got me my app up and running.

You can skip "Entitlement Matters" and "Xcode Issues" since these deal with building a Network extension. Instead, focus on the sections starting at "Re-sign the App"

The key is to make Developer ID profiles not only for your app, but for the camera extension as well, and to copy these into your app and camera extension as discussed below "replace the embedded provisioning profiles with their Developer ID profiles variants."

I hope that helps someone save the three days of head scratching and research I lost on this topic.

Good Luck!

CoreMedia I/O Camera Extension Installation Error (Invalid Signature)
 
 
Q