Code has restricted entitlements, but the validation of its code signature failed.

Question

ieo OP

Created Dec ’22

Replies 2

Boosts 0

Views 1.3k

Participants 2

Hello,

I'm adding a camera extension to the existing application.

The problem that it crashes with the following message in the console:

Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements:

However, it crashes under macOS 11.6 only. Interestingly, it works fine on other devices running macOS 12, 13 and even 11.6.1. I haven't tried it with older macOS versions, however I doubt it's going to work with them either.

Is there a way to fix this? If you need any additional information, please let me know.

codesign -d --entitlements :- /Applications/AppName.app

<key>com.apple.security.device.camera</key>

<true/>

<key>com.apple.security.device.audio-input</key>

<true/>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.security.application-groups</key>

   <array>

           <string>7XXXXXXX.com.example.AppName</string>

   </array>

security cms -D -i /Applications/AppName.app/Contents/embedded.provisionprofile

<key>Entitlements</key>

<dict>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.application-identifier</key>

<string>7XXXXXXX.com.example.AppName</string>

<key>keychain-access-groups</key>

<array>

<string>7XXXXXXX.*</string>

</array>

<key>com.apple.developer.team-identifier</key>

<string>7XXXXXXX</string>


</dict>

Boost

Answer 1

DTS Engineer OP

Apple

Dec ’22

The App ID entitlement, com.apple.application-identifier, shows up in the allowlist within your provisioning profile but it doesn’t show up in the entitlements claimed by your app. Without that, the system can’t match your profile to your app, and thus nothing in the profile applies.

You should also claim the Team ID entitlement, com.apple.developer.team-identifier.

It looks like you’re not using Xcode to sign your app. That’s fine, but it means you take on responsibility for doing this right. One trick I use is to create a dummy Xcode project with the same bundle ID as the real app, and then set up my entitlements there and sees how Xcode does the signing.

Oh, and you’re not using --deep, right?

Also, why are you disabling library validation (com.apple.security.cs.disable-library-validation)? It’s probably not relevant at this stage, but it can cause grief when you start trying to pass Gatekeeper.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

ieo OP

Dec ’22

@eskimo

I've added com.apple.application-identifier and com.apple.developer.team-identifier and it works now, thanks.

Oh, and you’re not using --deep, right?

Right, I've seen your post.

Also, why are you disabling library validation (com.apple.security.cs.disable-library-validation)?

I need it to load 3rd party DAL plugins.

For other users, the final entitlements:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.security.application-groups</key>
       <array>
               <string>7XXXXXXXX.com.example.AppName</string>
       </array>
    <key>com.apple.application-identifier</key>
    <string>7XXXXXXXX.com.example.AppName</string>
    <key>com.apple.developer.team-identifier</key>
    <string>7XXXXXXXX</string>
</dict>
</plist>

0