We would like to codesign up for the app that uses LuaJIT to be downloadable as the app with the identified developer on Apple silicon macOS. It means no targeting to the App Store which can be problematic due to LuaJIT usage.
Looks like there is no problem making the application run with the signature, but the performance is really bad.
All times are for running on an M2 chip, MacOS Sonoma 14.6.
Our x86_64 build works fine. Reference LuaJIT benchmark takes around 0.15 seconds (seed 2, 100 runs).
Same build for arm64 with ad-hoc signature, no entitlements, and needs around 1.8 seconds (seed 2, 100 runs) to run the same benchmark code.
I created luajit_app in Xcode to investigate.
It simply opens a window, you select Lua script, and it runs it and prints output to the text area.
Signed by my developer ID, run from Xcode immediately after build:
I see the same behaviors for the x86_64 build. It needs around 0.43 seconds (seed 2, 1000 runs) to finish the benchmark code.
The arm64 build without added entitlements needs around 16 seconds (seed 2, 1000 runs).
Added entitlements com.apple.security.cs.disable-executable-page-protection:
The arm64 build typically needs around 0.14 seconds (seed 2, 1000 runs).
Added entitlements com.apple.security.cs.allow-jit which fixed LuaJIT to use MAP_JIT flag:
The arm64 build typically needs around 0.14 seconds (seed 2, 1000 runs).
2nd and other app runs need around 19 seconds for benchmark.
Ad-hoc signed without developer ID and team, com.apple.security.cs.allow-jit:
Run from Xcode
The first app runs after the build/rebuild
The arm64 build typically needs around 0.14 seconds (seed 2, 1000 runs), but the first run sometimes takes around 5 seconds (seed 2, 1000 runs).
2nd and next runs of the app
The arm64 build typically needs around 19 seconds (seed 2, 1000 runs).
Bad signed, signature fix from the command line:
Signed with codesign --force --deep --sign MYID -o runtime --entitlements entitlements.plist luajit_app_bad_sign.app or AD-HOC
Behaviors are similar to Xcode runs. The first time the app runs usually takes around 5 seconds and 0.14 seconds later for benchmark script. Sometimes first benchmark runs takes 5 seconds, the second run 19 seconds and later runs take 0.14 seconds.
Later app runs typically fall to 19 seconds needed to do benchmark script.
End
I have also tried ad-hoc and the developer signature with both entitlements for the origin app, but no difference in time needs for the benchmark was observed.
Any ideas what is going on?
Entitlements
RSS for tagEntitlements allow specific capabilities or security permissions for your apps.
Post
Replies
Boosts
Views
Activity
This post is in response to the information on app groups posted here: https://developer.apple.com/forums/thread/721701
I have a multi-platform (macOS and iOS) app that uses an app group to store the Core Data database, so that extensions and widgets can also access the database.
It seems to be impossible to add an app group in Xcode that doesn't start with group.. When I use the team identifier as detailed here , Xcode prepends group. to the app group identifier.
So far, I've simply been using an app group identifier that looks like this: group.com.example.MyAppName. This has worked on macOS and iOS. However, I noticed that when the app launches on macOS 15, the user is shown a dialog that says " would like to access data from other apps." If the user selects "Don't Allow", the app will crash, since it can't access the Core Data database located in the app group directory.
How can I work around this, considering that this is a multi-platform app, and both the iOS and macOS versions need to store the Core Data database in the app group directory? What is the proper way to configure app groups for multi-platform apps?
We have a cross platform App available on Mac, iOS & soon tvOS. We are adding a new App Group to be used by this app.
We also have a as yet unpublished future Mac Catalyst app that will need access to the App Group.
The Apple docs suggest prefixing app groups on Mac with the team ID but not on other platforms.
We would like to avoid prefixing with the team ID because:
my understanding is that Mac Catalyst apps don't use the team ID and we would like to support that use case to communicate between our current cross platform app and the future catalyst app.
Having a single code base but different group container IDs per platform means a bunch of extra conditional logic in the project we would rather avoid.
So with that context our aim is to have an app group that is named consistently across platforms and meets sandboxing requirements for App Store distribution.
However when developing using the non-team prefixed app group name on macOS Sequioa I see the following alert every time I launch the app.
I have the App Group listed correctly in the entitlements file and if I change the app group name on macOS from group.com.example to (TEAMID).com.example then it works as expected so I think the rest of the setup is correct.
Looking at the Sequoia Beta release notes it states:
Specifically, the app must use FileManager to get the app group container path and meet one of the following requirements: the app is deployed through Mac App Store; the app group identifier is prefixed with the app’s Team ID; or the app group identifier is authorised by a provisioning profile embedded within the app.
I am using Xcode managed signing and looking at the provisioning profiles I can see that the iOS one includes the app group but the macOS one does not. I assume that if I could somehow get the app group correctly add to the macOS provisioning profile then all would be good.
But I am now stuck on how to get the app group added to the macOS provisioning profile. It seems whatever I try Xcode does not want to add it. Presumably this is because it expects you to instead use a team ID prefixed app group which would not need to be added.
Is there any magic I can do to make this work with automatic signing?
If not then how would I go about setting it up manually and is that the best solution?
Hello,
I requested the Family Controls (Distribution) entitlement and was granted access:
However, the "Additional Capabilities" Tab is not showing up in the associated App ID in "Certificates, Identifiers & Profiles":
Thank you in advance,
FCG
Hello, My app used camera extension to implement virtual camera. After cosigned with Developer ID Application, My app can run on other mac. But can't run on MacOS 10.15. Print system log as follows:
Aug 22 16:08:11 YL1150-C01177PG com.apple.xpc.launchd[1] (com.apple.xpc.launchd.oneshot.0x10000060.Presentation Assistant[95558]): Binary is improperly signed.
Aug 22 16:08:20 YL1150-C01177PG com.apple.xpc.launchd[1] (com.yealink.PresentationAssistant.app.4612[95559]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Applications/Presentation Assistant.app/Contents/MacOS/Presentation Assistant:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
Aug 22 16:08:20 YL1150-C01177PG com.apple.xpc.launchd[1] (com.yealink.PresentationAssistant.app.4612[95559]): Binary is improperly signed.
Aug 22 16:08:51 YL1150-C01177PG com.apple.xpc.launchd[1] (com.apple.mdworker.shared.04000000-0700-0000-0000-000000000000[95551]): Service exited due to SIGKILL | sent by mds[114]
My app entitlements is:
??qq?<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<false/>
<key>com.apple.security.application-groups</key>
<array>
<string>xxxxx.com.yealink.PresentationAssistant.app</string>
</array>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>com.apple.security.device.microphone</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.device.usb</key>
<true/>
<key>com.apple.security.device.bluetooth</key>
<true/>
<key>com.apple.security.device.print</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.files.user-selected.read-write</key>
<true/>
<key>com.apple.security.assets.pictures.read-write</key>
<true/>
<key>com.apple.security.files.downloads.read-write</key>
<true/>
<key>com.apple.security.assets.music.read-write</key>
<true/>
<key>com.apple.security.assets.movies.read-write</key>
<true/>
<key>com.apple.security.files.all</key>
<true/>
<key>com.apple.security.files.bookmarks.app-scope</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.developer.system-extension.install</key>
<true/>
</dict>
</plist>
I found that it works on macos 10.15 as long as I remove system-extension.install. What should I do?
Hi,
I'm trying to get a smart card reader to run with Xcode.
I set up the com.apple.security.smartcard entitlement in the .entitlements file and added it in Bild Settings -> Code Signing Entitlements.
But when I run: codesign -d --entitlements - Path/to/App, nothing smart card related shows up.
Also the TKSmartCardSlotManager.default isn't nil, but .slotNames are.
Do I have to install some drivers manually?
Please help.
When using the following API, is it expected that the app would require both incoming and outgoing permissions with App Sandbox?
public func sendto(_: Int32, _: UnsafeRawPointer!, _: Int, _: Int32, _: UnsafePointer<sockaddr>!, _: socklen_t) -> Int
Since I'm only sending UDP broadcasts, I would have expected outgoing to be sufficient.
Thanks!
I'm trying to install from Xcode (15.4) to my physical device but I get the following error: Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)
The project was successfully building previously, but after encountering an issue while implementing Infobip (a 3rd party library for push notifications) where we weren't getting notifications sent from the Infobip dashboard, we had to change Provisioning Profile to one with a production setup for the aps-environment (given that the suggestion from the Infobip support team was to ensure that the provisioning profile and environment match). Note that it was development before.
After downloading the new Provisioning Profile onto Xcode, the project fails to build now with the error mentioned above. I don't know what to do now, and I'm stuck.
Hi!
I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift):
func installDriver()
{
guard let extensionIdentifer = DriverInstaller.extensionBundle().bundleIdentifier else {
return
}
let activationReq = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifer, queue: .main)
activationReq.delegate = self
OSSystemExtensionManager.shared.submitRequest(activationReq)
}
I'm getting an error:
OSSystemExtensionErrorDomain error 8: Code Signature Invalid
which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out?
I'm posting here entitlements and codesign output for my extension and containing application for further information.
Executable=../Contents/Library/SystemExtensions/com..RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension
[Dict]
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 893K7MTL2H. com..
[Key] com.apple.security.device.camera
[Value]
[Bool] true
Executable=**********/Contents/MacOS/*****
[Dict]
[Key] com.apple.application-identifier
[Value]
[String] 893K7MTL2H.com..RoomDevice
[Key] com.apple.developer.system-extension.install
[Value]
[Bool] true
[Key] com.apple.developer.team-identifier
[Value]
[String] 893K7MTL2H
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 893K7MTL2H. com..********
Executable=***/Contents/MacOS/****
Identifier=com..RoomDevice
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1345 flags=0x10000(runtime) hashes=31+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=3584714367d59119b462d0f830247d27ff1fbace
CandidateCDHashFull sha256=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12
Hash choices=sha256
CMSDigest=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12
CMSDigestType=2
Launch Constraints:
None
CDHash=3584714367d59119b462d0f830247d27ff1fbace
Signature size=4688
Authority=Developer ID Application: ****************(893K7MTL2H)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=01-Sep-2023 at 12:00:09 PM
Info.plist entries=22
TeamIdentifier=893K7MTL2H
Runtime Version=13.3.0
Sealed Resources version=2 rules=13 files=6
Internal requirements count=1 size=216
Executable=/Contents/Library/SystemExtensions/com.*****.RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension
Identifier=com.******.RoomDevice.Extension
Format=bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=3627 flags=0x10000(runtime) hashes=102+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=70580825016b7e262fb15c280ba380ad4e871bc1
CandidateCDHashFull sha256=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f
Hash choices=sha256
CMSDigest=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f
CMSDigestType=2
Launch Constraints:
None
CDHash=70580825016b7e262fb15c280ba380ad4e871bc1
Signature size=4688
Authority=Developer ID Application: ************ Ltd. (893K7MTL2H)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=01-Sep-2023 at 12:00:05 PM
Info.plist entries=22
TeamIdentifier=893K7MTL2H
Runtime Version=13.3.0
Sealed Resources version=2 rules=13 files=0
Internal requirements count=1 size=224
Please anyone help. Thanks in advance!
I am working on mac app development which will be distributed outside the App Store.
I added the network extension capability to my project and created a bundle id and provisioning profile with the same feature. When I configured the provisioning profile using Xcode (manual signing), it was configured fine.
But when I added the packet tunnel capability to my network extension, it started giving me an error.
I have created a Developer ID Application Certificate and use it when creating a provisioning profile.
I have followed steps mentioned here for doing same: Distribute outside the Mac App Store (macOS), Network Extensions Entitlement
Is this any Xcode bug or am I missing something?
Please check screenshot below for error.
I have an app that gets successfully notarised with microphone entitlements and everything was working fine (i.e. the app could receive audio input) up to macOS 14.4.1.
Since upgrading to 14.5 it seems that none of the versions that were previously working up to 14.4.1 are working anymore with 14.5 with respect to receiving audio input.
Ive tried using the microphone entitlement as well as the audio-input entitlement.
I should note that im using cmake to build my app through an external git actions CI/CD pipeline and this is the version that no longer seems to be getting the entitlements correctly.
When I build using the latest version of Xcode I can see that the app does seem to be getting the correct entitlements but I cant work out what the difference is.
Is there anything thats changed with respect to entitlements in macOS 14.5?
Should I be using microphone or audio-input entitlements?
( believe one is more for Sandboxed app and the other is for hardened runtime. Is that correct? Note: Im not distributing through the Mac App Store)
Any guidance would be greatly appreciated! 🙏
Hi,
We have recently been approved for Endpoint Security entitlement on our account. We have an application (golang) that we need to assign this entitlement and sign manually. We have packaged the entitlement correctly with the application. We have tried using a Developer ID Application certificate that we created before this entitlement was given to our account and also with a newly created certificate. However the application crashes when it is launched and I see the following error in the console logs (the full crash report is too big to post). Is there anything specific we need to do to attach the Endpoint Security entitlement to our certificate? Any help would be much appreciated, we have been stuck on this for a bit.
Thanks
Sriram
Translated Report (Full Report Below)
Incident Identifier: EAA48D72-705A-420B-8179-6D9049A81657
CrashReporter Key: 4F18A957-F0B8-BE5D-A1D7-74191ABCF38A
Hardware Model: MacBookPro14,1
Process: endpoint-security-example-test [6728]
Path: /Users/USER/*/endpoint-security-example-test
Identifier: endpoint-security-example-test
Version: ???
Code Type: X86-64 (Native)
Role: Unspecified
Parent Process: zsh [2463]
Coalition: com.apple.Terminal [1663]
Responsible Process: Terminal [2417]
Date/Time: 2024-07-31 13:34:45.7397 -0700
Launch Time: 2024-07-31 13:34:45.7294 -0700
OS Version: macOS 13.6.8 (22G820)
Release Type: User
Report Version: 104
Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: CODESIGNING 1 Taskgated Invalid Signature
Triggered by Thread: 0
Thread 0 Crashed:
0 0x116b40070 _dyld_start + 0
1 ??? 0x1 ???
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7b0da09d0
r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x0000000116b40070 rfl: 0x0000000000000200 cr2: 0x0000000000000000
Logical CPU: 0
Error Code: 0x00000000
Trap Number: 0
Binary Images:
0x116b3b000 - 0x116bd6fff () <2b649d59-89d8-3db6-9ba4-a6aecba42f6e> ???
0x10f15f000 - 0x10f21afff () <9440f210-132b-3da1-b7f5-4d2d62bc8e0d> ???
0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
Error Formulating Crash Report:
dyld_process_snapshot_get_shared_cache failed
EOF
Hello
I work for a company which is not itself a carrier, however we develop applications on behalf of carriers (the relationship between us and several large household name US carriers has existed for many years).
The applications that we develop typically need carrier and/or special entitlements, for example:
com.apple.CommCenter.fine-grained/public-subscriber-info
com.apple.developer.coretelephony.sim-inserted
com.apple.developer.pushkit.unrestricted-voip
com.apple.developer.usernotifications.filtering
com.apple.developer.associated-domains
Obtaining those entitlements for the carrier applications that are released to the App Store is itself not a problem as the customers apply for them and they are duly granted and applied to the applications.
However, what is a problem is working around the strict Apple development and distribution requirements and limitations, and the consequences that has given that the apps don't belong to our Apple account but the customers.
Typically, a customer would provide us a developer certificate and set of provisioning profiles, but they would keep the distribution certificate and do the TestFlight/App Store release themselves.
There's two limitations that come into play here, the first is that we can't distribute the app to TestFlight and secondly, we can only install the customer's apps on hardware registered with their Apple account. Given how the limitation for that is 100 in total, and these are large companies, they just don't have slots available and hence we might have a single device on which their app can run. These are very severe limitations given the complex nature of the applications and the need to have several developers/testers involved, which isn't possible.
To mitigate those limitations we have "mirror" versions of customers' apps, these are apps which are identical to the customer apps except they have bundle ids registered to our Apple account.
This enables the apps to be developed by any number of developers and distributed via Testfight and hence to any number of testers.
But the problem is, the functionality of the mirror apps is severely reduced due to the fact they don't have the entitlements of the customers' apps.
To get to the point of the post - I would like to know if there any potential solutions to this?
For example:
could it be possible for our mirror applications to be granted required entitlements (given the relationships we have with the customers. I'm sure the customers could vouch for us as a company and the need for this)
could the entitlements be granted if we switched the mirror apps over to an Enterprise account (as enterprise apps can't be released to the App Store)?
any other technical options or suggestions?
Thank you
Hi…
I’m struggling with Sign in With Apple and the problem is exacerbated by it being in a Qt6 / C++ MacOS app which uses ObjC to do interact with Apple Frameworks. Outsude XCode, of course, because we use QT Creator.
I’m pretty sure that I set it up correctly by implementing an
@interface CWAppleAuthenticationServiceImpl : NSObject <ASAuthorizationControllerPresentationContextProviding,ASAuthorizationControllerDelegate>
- (id)initWithOwner:(MyAppleAuthenticationService *) owner;
and all the rest.
Code compiles an runs, and when when I call
[controller performRequests] the
presentationAnchorForAuthorizationController gets called.
But nothing visible happens in the app. Instead it jumps right into didCompleteWithError , so I guess I did connect everything correctly – except that it doesn’t work correctly.
So I sign the app, providing the entitlements
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.applesignin</key>
<array>
<string>Default</string>
</array>
</dict>
</plist>
Signing and Notarisation works, but when I start the app, it crashes. The entitlesments are part of the app, i checked that with codesign which claims that everything is fine.
The crash appears to be the same as described in https://forums.developer.apple.com/forums/thread/698870, i.e. "Error of invalid code signature" . This is backed by me signing it without entitlements, which yields a working and running application, albeit without signIn capabilities.
I’m a bit stumped.
Hi,
We applied for Tap to Pay on iPhone entitlement and were approved, but on distribution support it's only showing Development.
We can build and debug Tap to Pay on development, but unable to build release.
We opened ticket with Apple support but they were saying it was configured correctly. I attached screenshot of our developer account entitlement for Tap to Pay. It clearly said Development only.
I'm getting the following crash in my app
Incident Identifier: 5321CD04-430E-4B10-9467-F416E792F3D6
CrashReporter Key: 1414d117f3d2793f073dc033c9395dccac5f6020
Hardware Model: iPad12,1
Process: XxXxXx [591]
Path: /private/var/containers/Bundle/Application/8A296C9B-52EF-4288-B102-58868A7FD139/XxXxXx.app/XxXxXx
Identifier: co.XxXxXx.XxXxXx.J873G84M8Q
Version: 1.10 (1.10.6)
Code Type: ARM-64 (Native)
Role: Foreground
Parent Process: launchd [1]
Coalition: uk.co.XxXxXx.XxXxXx.J873G84M8Q [522]
Date/Time: 2024-07-22 14:37:00.3901 +0100
Launch Time: 2024-07-22 14:37:00.1082 +0100
OS Version: iPhone OS 17.2 (21C62)
Release Type: User
Report Version: 104
Exception Type: EXC_BAD_ACCESS (SIGBUS)
Exception Subtype: KERN_PROTECTION_FAILURE at 0x000000010c61c000
Exception Codes: 0x0000000000000002, 0x000000010c61c000
VM Region Info: 0x10c61c000 is in 0x10c61c000-0x10c620000; bytes after start: 0 bytes before end: 16383
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
MALLOC_LARGE 10c5e4000-10c61c000 [ 224K] rw-/rwx SM=PRV
---> JS JIT generated code 10c61c000-10c620000 [ 16K] r--/rw- SM=PRV
GAP OF 0x613cc000 BYTES
Stack Guard 16d9ec000-16d9f0000 [ 16K] ---/rwx SM=NUL
Termination Reason: SIGNAL 10 Bus error: 10
Terminating Process: exc handler [591]
Triggered by Thread: 0
I'm assuming that I need to add the following entitlement to Entitlements.plist
<key>com.apple.security.cs.allow-jit</key>
<true/>
From within XCode I can see how to do this, what I can't figure out is how to do the same thing on our CI server without manually managing the signing process of the application using codesign.
How can I add the above entitlement to my application using xcodebuild or is this even possible?
In my account, there is already a driver kit usb transport vendor id(4070) in the Identifiers capability . I posted a new request for new usb vendor id(14203) , and there are now 2 driver kit usb transport vendor id entitlement in the account's identifiers, one is for old id (4070), another is not for new id(14203).
so how can I add a new usb vendor id ? or change the old one?
Due to changes in macOS 15 Sequoia with respect to container privacy/privileges, I have observed warnings with one of my apps (non-sandboxed) when its subsidiary crash reporter process tries to access the host app's data folder.
I THINK I've worked around this issue by granting the crash reporter and the host app access to the same application group. I'm not 100% sure how all this works except that the problem went away :)
The problem is, once the problem goes away on a given system, it goes away for good! Even with subsequent attempts to open a version of the app before the fix was in place, the system warning is not presented. I've tried to reset SystemPolicyAppBundles on the app via tccutil, but it makes no difference.
Using the wisdom from one of Quinn's posts (https://developer.apple.com/forums/thread/706442) I set up a log stream invocation to try to gather clues, and I notice that when I launch my app now, I see messages like:
Found provenance data on process: TA(82542d1beaf132a6, 2), 51084
Process was already in provenance sandbox, skipping: 51084, TA(82542d1beaf132a6, 2)
I suspect this "provenance" may reflect the change in how the system treats my application.
First: I wonder if it's a bug that any change in "provenance" should retroactively apply to versions of the app before the change was made. Second, I wonder if there's some way to RESET this provenance so that I can reproduce the bug again? I might be able to reproduce it by changing the bundle ID for the app but for purposes of testing against existing, shipped versions of the app, I'd love to be able to reset things for sanity-checking.
Hi,
I have a PCI DriverKit System Extension project that our team has tested, and the entitlements are not a problem.
Once we decided to place the project to the Apple Store the review team requested to add "App Sandbox" entitlement to the project. Then I added the entitlement manually to the ".entitlements" file ( I couldn't do that using the Xcode add entitlement section because since it is a driverkit project, the "App sandbox" is not visible in the entitlements page ) and re-packaged the project for distribution. Later on, I saw that the entitlement was removed during the packaging process.
I also tried to add that using the "build settings" page in Xcode (the signing section ), but I had no luck.
I feel like I'm being misled by the review team. Do you know if the "App sandbox" entitlement is applicable to a DriverKit project ?
In enterprise environments it can be tricky to develop innovative applications leveraging the full value of the hardware. The code signing capabilities on iOS are much more restrictive compared to macOS, and has been for years. Is it really too much to ask for more control over the applications we can use in development environments.
For bespoke applications being able to have control over hardware is something that has been missing for a long time. The ability to sign with com.apple.security.iokit-user-client-class and com.apple.security.temporary-exception.sbpl in development and enterprise solutions would allow for far greater integration with the devices.
What reasons are there to avoid allowing this on iOS when macOS has much less restrictive control, the lack of continuity between the systems does not help the "level playing field".