CODE_SIGN_INJECT_BASE_ENTITLEMENTS not adding com.apple.security.get-task-allow entitlement

Hello,


Because our app has a Plugin system, I am trying to release a version that has both

com.apple.security.get-task-allow
and
com.apple.security.cs.disable-library-validation
entitements enabled (along with further entitlements).


The disable library validation entitlement has been added to my entitlements file, and I have set CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES in my xcconfig file for both Release and Debug configurations.


My codesigning settings are as follows:


CODE_SIGN_IDENTITY = Developer ID Application

DEVELOPMENT_TEAM = WUxxxxx46

CODE_SIGN_STYLE = Manual


I'm creating the archive as follows:


xcodebuild -workspace S.xcworkspace -scheme S -sdk macosx -configuration Release archive -archivePath S.xcarchive -derivedDataPath ddd -xcconfig S/Configs/Final.xcconfig


However when I run codesign on the resulting app, the get-task-allow entitlement is not present.


codesign -d --entitlements :- S.xcarchive/Products/Applications/S.app/


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.security.application-groups</key>

<array>

<string>WUxxxx46.</string>

</array>

<key>com.apple.security.automation.apple-events</key>

<true/>

<key>com.apple.security.cs.allow-jit</key>

<true/>

<key>com.apple.security.cs.allow-unsigned-executable-memory</key>

<true/>

<key>com.apple.security.cs.disable-library-validation</key>

<true/>

<key>com.apple.security.personal-information.photos-library</key>

<true/>

</dict>

</plist>



If I add -showBuildSettings to the end of my xcarchive line, the output there does confirm that CODE_SIGN_INJECT_BASE_ENTITLEMENTS is set to YES.


I've also had a look at the xcent file in the Intermediate build phase directory and get-task-allow isn't there either.


Can anyone provide any insight as to what I'm doing wrong please?


Thanks


Heather.

Replies

My understanding is Code Signing Inject Base Entitlements is one of those ‘do the right thing’ build settings, and part of the ‘right thing’ in this case is to set the Get Task Allow entitlement on Debug builds but not Release builds. If you want to set Get Task Allow on all builds, you should turn off Code Signing Inject Base Entitlements and then Get Task Allow to your

.entitlements
file.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Resurrecting an old thread, as this doesn't seem to be how it works, at least not nowadays.

% unzip MyApp.ipa
% codesign -d --entitlements :- Payload/MyApp.app
...
	<key>get-task-allow</key>
	<false/>
...

If I save the entitlements to a file:

% unzip MyApp.ipa
% codesign -d --entitlements entitlements.plist Payload/MyApp.app

and just flip the value of the get-task-allow flag and then resign:

% codesign --entitlements entitlements.plist -s "iPhone Distribution"  -f Payload/MyApp.app
Payload/MyApp.app: replacing existing signature

and then install the app I get:

WARNING: could not locate iTunesMetadata.plist in archive!
WARNING: could not locate Payload/Tester.app/SC_Info/Tester.sinf in archive!
Copying 'MyApp.ipa' to device... DONE.
Installing 'com.....'
Install: CreatingStagingDirectory (5%)
Install: ExtractingPackage (15%)
Install: InspectingPackage (20%)
Install: TakingInstallLock (20%)
Install: PreflightingApplication (30%)
Install: InstallingEmbeddedProfile (30%)
Install: VerifyingApplication (40%)ERROR: Install failed. Got error "ApplicationVerificationFailed" with code 0xe8008016: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.AmySH8/extracted/Payload/MyApp.app : 0xe8008016 (The executable was signed with invalid entitlements.)

If I don't change anything in entitlements.plist but just resign with the same entitlements then the app installs ok, but can not be started via USB. So, it's not possible to flip the flag and resign. My understanding is that somehow the get-task-allow entitlement must be present in the provisioning profile, but I have not found out any way to actually make this happen.

Any ideas for what I can do?

as this doesn't seem to be how it works, at least not nowadays.

Well… actually… it’s “at least not on my platform” (-:

Hexcode’s original post was about macOS. You can tell because they’re using the com.apple.security.get-task-allow entitlement rather than get-task-allow, which is the entitlement used by iOS and its descendents. This is important because these platforms behave differently:

  • On iOS, all entitlements must be authorised by a provisioning profile.

  • On macOS, a small set of entitlements can be used without such authorisation.

See my What exactly is a provisioning profile? post for more background on this.

I suspect that the provisioning profile embedded in your app has the get-task-allow entitlement in its allowlist but it’s set to true, and that means it only allows a value of true.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"