I am developing a MacOS application hosting a Network Extension (app proxy provider). I am signing with Developer ID certificate to distribute outside the AppStore and notarizing the host app with the following entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider-systemextension</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>com.my-organization.my-group</string>
</array>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
After notarizing the app, I am able to install and use the Network Extension.
Now I have a requirement to add the following entitlements (because I need to use some third party native libraries which are signed ad-hoc):
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
As soon as I add those entitlements, the application starts crashing at startup:
Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: CODESIGNING 1 Taskgated Invalid Signature
Triggered by Thread: 0
Thread 0 Crashed:
0 ??? 0x11cf78ef0 _dyld_start + 0
1 ??? 0x10f62c000 ???
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7b08d3b98
r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x000000011cf78ef0 rfl: 0x0000000000000200 cr2: 0x0000000000000000
Logical CPU: 0
Error Code: 0x00000000
Trap Number: 0
Binary Images:
0x11cf74000 - 0x11d00bfff ??? (*) <bba77709-6cad-3592-ab03-09d0f7b8610e> ???
0x10f62c000 - 0x10f62dfff ??? (*) <4c4c44aa-5555-3144-a128-fba98974e1e0> ???
Error Formulating Crash Report:
dyld_process_snapshot_get_shared_cache failed
If I remove the com.apple.developer.networking.networkextension
and com.apple.developer.system-extension.install
, then the app starts but of course I cannot activate and use the Network Extension.
So my question is whether the network extension entitlements and the disable-library-validation entitlements can be used together?