Hi,
I'm trying to sign/notarize a command line application packaged as .pkg which accesses USB devices through libusb.
When nothing is sign/notarized everything works like a charm and the command line tool can be started without elevated mode (sudo).
Once the binary, its libraries, and the .pkg are signed (hardened runtime set) and finally notarized/stappled with success I noticed that, once the .pkg is installed, the bin/libs are owned by root:wheel. Nobody else can execute it. Means sudo is required to execute the tool, which is obviously not what I need to distribute the software to end-users...
As far as I understand I must have to configure some entitlements when invoking the codesign command. Am I wrong?
If not, before struggling with them I need some advises about which one should I select ?
- com.apple.security.app-sandbox ?
- com.apple.security.device.usb ?
- com.apple.vm.device-access (?)
- others ?
Thanks by advance for your help.
any advises are still welcomed about the entitlements
Going through your list…
com.apple.security.app-sandbox
is meant for apps, not command-line tools. If you’re distributing a standalone command-line tool — keeping in mind that you can’t do this via the Mac App Store and thus you must use independent distribution with Developer ID signing — you can’t use this.
com.apple.security.device.usb
is only relevant if you’re sandboxed, which you can’t be per the previous point.
com.apple.vm.device-access
is a managed entitlement, meaning that you need approval from Apple to use it. The entitlement is intended to be used by hypervisor apps that ship in the Mac App Store, and so is irrelevant to your product.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"