LaunchDaemon stopped working on macOS Sonoma public beta

Question

Created Sep ’23

Replies 3

Boosts 0

Views 1.1k

Participants 2

Hello @eskimo (or whoever can help): our company builds a product which is delivered outside the app store as pkg. It contains a launch daemon which is a .NET build on an external build server and signed. Then the whole pkg is notarized.

The build server is macOS 10.15.7 (Catalina)

On macOS 13.x I can launch the daemon in Terminal without problem, but on Sonoma public beta I get "killed by Signal:9" and in Console I get: "standard 07:44:53.694349-0700 kernel ASP: Security policy would not allow process: 1377, /Library/PrivilegedHelperTools/com.ThinPrint.TPACCloud/TPACCloud.Service"

This happens on both Intel and Apple CPU VMs.

Besides, when I disable SIP the error does not show up anymore and the binary runs like a charm.

What has changed between macOS 13 and macOS 14 ?

The binary entitlements: <plist version="1.0"> <dict> <key>com.apple.security.cs.allow-jit</key> <true/> <key>com.apple.security.cs.allow-unsigned-executable-memory</key> <true/> <key>com.apple.security.cs.disable-executable-page-protection</key> <false/> <key>com.apple.security.cs.allow-dyld-environment-variables</key> <true/> <key>com.apple.security.cs.disable-library-validation</key> <true/> </dict> </plist>

The command to code sign: /usr/bin/codesign --force --options=runtime --timestamp --entitlements "#{absolutePathToEntitlement}" --sign "#{applicationCertname}" "#{tPACCLOUD_ARTEFACTS_X64}/#{item}" where #{item} are the binaries and .dylibs

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’23

That’s a weird one. Looking at what you posted, the only obviously broken thing is this:

<key>com.apple.security.cs.disable-executable-page-protection</key> <false/>

The default value for this entitlement is false, so you should not try to set it to false. This is a good general rule, but it’s something we specifically call out in the Hardened Runtime docs:

The default value of these Boolean entitlements is false. When Xcode signs your code, it includes an entitlement only if the value is true. If you’re manually signing code, follow this convention to ensure maximum compatibility. Don’t include an entitlement if the value is false.

Beyond that, I recommend that you work through the steps in Resolving Trusted Execution Problems. Notably, macOS 14 beta has the new syspolicy_check tool, which might quickly reveal the source of the problem [1].

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] And if it doesn’t we should file a bug against syspolicy_check because its entire raisons d’être is to help in situations like this (-:

0

Answer 2

RobertWelz OP

Sep ’23

"syspolicy_check distribution" shows: rowel@Virtuelle-Maschine-von-Robert com.ThinPrint.TPACCloud % syspolicy_check distribution TPACCloud.Service App has failed one or more pre-distribution checks.

Notary Ticket Missing File: /Library/PrivilegedHelperTools/com.ThinPrint.TPACCloud/TPACCloud.Service Severity: Fatal Full Error: A Notarization ticket is not stapled to this application. Type: Distribution Error

I am sure I have read that Notarization tickets cannot be stapled onto simple binaries (LaunchDaemon). Am I wrong? What is the next step to take? regards, Robert

0

Answer 3

DTS Engineer OP

Apple

Sep ’23

once a posting has been sent it cannot be edited anymore

It can, but there’s a time limit (an hour maybe).

I have read that Notarization tickets cannot be stapled onto simple binaries

Correct.

Daemons usually start out embedded in an app or an installer package, and so you notarise and staple that. The system then ingests that ticket when you first run the app or installer the installer package.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0