DriverKit, Local Signing, and gap between MacOS & IPadOS

So I am completely unable to follow the instructions in the DriverKit/UserClient sample app and run on MACOS successfully. XCode 14.1. The instructions to sign locally don't match to this version of Xcode. The client crashes when it has an entitlement for user client access.

However, I can get the same code to sign and run on an IPAD without requesting additional security entitlements.

If this is related to entitlements for MACOS, why the inconsistency with IPADOS? The same security considerations should be in play. If it is possible to run on IPADOS without additional granted security, why not on MACOS?

Up vote post of piezas Down vote post of piezas
1.5k views
Posted by
piezas
Reply
Add a Comment

Replies

DriverKit has different access control mechanisms on macOS and iOS [1]. You can see a list of relevant entitlements in the Entitlements section of the main DriverKit page.

These are all restricted entitlements, which means that their use must be authorised by a provisioning profile [2]. For the iOS entitlements, any developer can gain this authorisation for development only by using Xcode or the Developer website to set capabilities on their App ID. That’s not the case for the macOS ones. On macOS, some entitlements work like they do on iOS but some entitlements must be authorised by Apple even for development work.

This can be very confusing, so let me walk you through an example. Let’s say you’re creating a DriverKit driver that publishes a user client and you want any program to be able to access that user client. On iOS you need the com.apple.developer.driverkit.allow-third-party-userclients entitlement. If you go to the Developer website and edit your App ID, you’ll see the following under the Capabilities tab:

I’ve clicked on the info button next to the capability to show it’s scope. Note that:

  • It’s restricted to iOS.

  • It’s available for development and deployment.

That last point seems to contracted my earlier statement, that this stuff is for development only, but that’s only true at this micro level. All DriverKit development requires another entitlement, the main com.apple.developer.driverkit one, and if you click on the info button next to that one you’ll see that it’s only available for development:

The upshot is this on iOS you can develop a DriverKit driver with a ‘universal’ user client without applying for any additional capabilities.

And that brings us to macOS. You’ll note from the above that com.apple.developer.driverkit is available for development on macOS. However, macOS uses a different entitlement for user client access, namely the com.apple.developer.driverkit.allow-any-userclient-access entitlement. If you work through the list under the Capabilities tab, you’ll see that none of them enable this entitlement. To authorise a claim that entitlement, you need to apply for and be granted an addition capability:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, iPadOS, I guess.

[2] For more background on that, see TN3125 Inside Code Signing: Provisioning Profiles.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

HI, I'm wondering whether this is still valid. When I'm trying to configure my entitlements on the webpage I can see that "DriverKit Allow Third Party UserClients" is now also available for MacOS while I never could reveal this "Additional Capabilities" tab. That also seems to break the SimpleAudioDriver sample but I got at least the dext loaded after changing the entitlements and after I added com.apple.developer.driverkit.allow-third-party-userclients in my XCode project (see also https://developer.apple.com/forums/thread/726576 ).

Posted by
JFreyberger
Up vote reply of JFreyberger Down vote reply of JFreyberger
Add a Comment

> I'm wondering whether this is still valid.

Things have changed, but I’m not sure how that plays into the big picture.

As you noted, DriverKit Allow Third Party UserClients is now listed as being available on macOS. This means that you can create a Mac provisioning profile that authorises the com.apple.developer.driverkit.allow-third-party-userclients entitlement.

What I don’t know is if that’s sufficient for your needs. Historically macOS drivers needed com.apple.developer.driverkit.allow-any-userclient-access. It’s possible that this has been relaxed at some point but, honestly, DriverKit isn’t something I support on a day-to-day basis.

If you get completely stuck, open a DTS tech support incident and talk to DTS’s DriverKit specialist.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for your reply. I just decided to spend one of my TSIs and filed a TSI at https://developer.apple.com/support/technical/ ...

Posted by
JFreyberger
Up vote reply of JFreyberger Down vote reply of JFreyberger
Add a Comment

OK, I'm still stuck with this and my TSI also doesn't make any progress. I'm only told I should read the manual, I shouldn't care about com.apple.developer.driverkit.allow-third-party-userclients and that this guy cannot help with entitlements. Also I think a real frustrating thing is that you can apply for an entitlement and get an email notification that this request will be evaluated but that's it. No further status update for weeks, neither if it's still under evaluation or if and why it would have been rejected.

Posted by
JFreyberger
Up vote reply of JFreyberger Down vote reply of JFreyberger
Add a Comment