EndpointSecurity Code Signiture invalid

I'm developing a EndpointSecurity application for 10.15 and trying to use the EndpointSecurity system extension framework.


I've discovered that when I add the boolean entitlement 'com.apple.developer.endpoint-security.client', the application crashes with a "Code Signiture Invalid" error on launch (whether or not the boolean is YES or NO). My dev machine has SIP disabled , on OSX 10.15, Xcode 11.3


I used automatic signing from xcode, with system extension capability added.


I've seen other people having this issue with no solution posted https://forums.developer.apple.com/thread/124034


example error below:



Time Awake Since Boot: 62 seconds



System Integrity Protection: disabled



Crashed Thread: Unknown



Exception Type: EXC_CRASH (Code Signature Invalid)

Exception Codes: 0x0000000000000000, 0x0000000000000000

Exception Note: EXC_CORPSE_NOTIFY



Termination Reason: Namespace CODESIGNING, Code 0x1



kernel messages:



Backtrace not available



Unknown thread crashed with X86 Thread State (64-bit):

rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000

rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffeee42abb0

r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000

r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000

rip: 0x0000000103714000 rfl: 0x0000000000000200 cr2: 0x0000000000000000


Logical CPU: 0

Error Code: 0x00000000

Trap Number: 0





Binary images description not available





External Modification Summary:

Calls made by other processes targeting this process:

task_for_pid: 0

thread_create: 0

thread_set_state: 0

Calls made by this process:

task_for_pid: 0

thread_create: 0

thread_set_state: 0

Calls made by all processes on this machine:

task_for_pid: 272

thread_create: 0

thread_set_state

Up vote post of RobHDt Down vote post of RobHDt
1.7k views
Posted by
RobHDt
Reply
Add a Comment

Accepted Reply

If you’re trying to build an EndpointSecurity system extension (as opposed to calling the EndpointSecurity API from some other context), you should follow the advice in this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Also note that the binary appears signed :


NOTE that I've tried in a fresh project to, but this is from attempting to add the endpointSecurity Extension into the FilterNetworkTraffic example that apple provided.


'codesign -dvvv --entitlement :- [PATH_TO_APP]'

(output slightly obfuscated with _____)


Identifier=com.example.apple-samplecode.SimpleFirewall_______

Format=app bundle with Mach-O thin (x86_64)

CodeDirectory v=20200 size=2709 flags=0x0(none) hashes=76+5 location=embedded

Hash type=sha256 size=32

CandidateCDHash sha256=58331fd900707ae49b2943de6dfc27b178cfbe34

CandidateCDHashFull sha256=58331fd900707ae49b2943de6dfc27b178cfbe347135ac15fb58bd7ce4e170c0

Hash choices=sha256

CMSDigest=58331fd900707ae49b2943de6dfc27b178cfbe347135ac15fb58bd7ce4e170c0

CMSDigestType=2

CDHash=58331fd900707ae49b2943de6dfc27b178cfbe34

Signature size=4746

Authority=Apple Development: ___________

Authority=Apple Worldwide Developer Relations Certification Authority

Authority=Apple Root CA

Signed Time=Jan 23, 2020 at 10:34:54 AM

Info.plist entries=23

TeamIdentifier=_________

Sealed Resources version=2 rules=13 files=11

Internal requirements count=1 size=224

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.application-identifier</key>

<string>______.com.example.apple-samplecode.SimpleFirewallB75W84SR5U</string>

<key>com.apple.developer.endpoint-security.client</key>

<true/>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>content-filter-provider</string>

</array>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.developer.team-identifier</key>

<string>_______</string>

<key>com.apple.security.app-sandbox</key>

<false/>

<key>com.apple.security.application-groups</key>

<array>

<string>_______.com.example.apple-samplecode.SimpleFirewall</string>

</array>

<key>com.apple.security.files.user-selected.read-only</key>

<true/>

<key>com.apple.security.get-task-allow</key>

<true/>

</dict>

</plist>

Posted by
RobHDt
Up vote reply of RobHDt Down vote reply of RobHDt
Add a Comment

If you’re trying to build an EndpointSecurity system extension (as opposed to calling the EndpointSecurity API from some other context), you should follow the advice in this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thank you Eskimo, that post was very useful.

Posted by
RobHDt
Up vote reply of RobHDt Down vote reply of RobHDt
Add a Comment