Code has restricted entitlements, but the validation of its code signature failed.

Hello,

I'm adding a camera extension to the existing application.

The problem that it crashes with the following message in the console:

Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements:

However, it crashes under macOS 11.6 only. Interestingly, it works fine on other devices running macOS 12, 13 and even 11.6.1. I haven't tried it with older macOS versions, however I doubt it's going to work with them either.

Is there a way to fix this? If you need any additional information, please let me know.

codesign -d --entitlements :- /Applications/AppName.app

<key>com.apple.security.device.camera</key>

<true/>

<key>com.apple.security.device.audio-input</key>

<true/>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.security.application-groups</key>

   <array>

           <string>7XXXXXXX.com.example.AppName</string>

   </array>

security cms -D -i /Applications/AppName.app/Contents/embedded.provisionprofile

<key>Entitlements</key>

<dict>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.application-identifier</key>

<string>7XXXXXXX.com.example.AppName</string>

<key>keychain-access-groups</key>

<array>

<string>7XXXXXXX.*</string>

</array>

<key>com.apple.developer.team-identifier</key>

<string>7XXXXXXX</string>


</dict>
Up vote post of ieo Down vote post of ieo
925 views
Posted by
ieo
Reply
Add a Comment

Replies

The App ID entitlement, com.apple.application-identifier, shows up in the allowlist within your provisioning profile but it doesn’t show up in the entitlements claimed by your app. Without that, the system can’t match your profile to your app, and thus nothing in the profile applies.

You should also claim the Team ID entitlement, com.apple.developer.team-identifier.

It looks like you’re not using Xcode to sign your app. That’s fine, but it means you take on responsibility for doing this right. One trick I use is to create a dummy Xcode project with the same bundle ID as the real app, and then set up my entitlements there and sees how Xcode does the signing.

Oh, and you’re not using --deep, right?

Also, why are you disabling library validation (com.apple.security.cs.disable-library-validation)? It’s probably not relevant at this stage, but it can cause grief when you start trying to pass Gatekeeper.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

@eskimo

I've added com.apple.application-identifier and com.apple.developer.team-identifier and it works now, thanks.

Oh, and you’re not using --deep, right?

Right, I've seen your post.

Also, why are you disabling library validation (com.apple.security.cs.disable-library-validation)?

I need it to load 3rd party DAL plugins.

For other users, the final entitlements:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.security.application-groups</key>
       <array>
               <string>7XXXXXXXX.com.example.AppName</string>
       </array>
    <key>com.apple.application-identifier</key>
    <string>7XXXXXXXX.com.example.AppName</string>
    <key>com.apple.developer.team-identifier</key>
    <string>7XXXXXXXX</string>
</dict>
</plist>
Posted by
ieo
Up vote reply of ieo Down vote reply of ieo
Add a Comment