User Profile

Hi all,We're trying to package a new version of Multipass, a small cross-platform Linux VM manager. It's been working fine until recently, when the notarization service started erroring out on binaries unsigned, or those that don't have the hardened runtime enabled.We're using CPack to create a custom installer, so we have to do all the signing and notarization manually.Unfortunately the hypervisor we use (hyperkit) fails when ran with hardening:CODE SIGNING: 31277[hyperkit] vm_map_protect can't have both write and exec at the same timeWhile we investigate that problem, we wanted to add the appropriate entitlements to the signature, please tell me if there's something wrong with this:<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>application-identifier</key> <string>com.canonical.multipass.hyperkit</string> <key>com.apple.security.cs.disable-executable-page-protection</key> <true/> </dict> </plist>Unfortunately even though notarization completes on the package, the binary fails with:mac_vnode_check_signature: /Library/Application Support/com.canonical.multipass/bin/hyperkit: code signature validation failed fatally: When validating /Library/Application Support/com.canonical.multipass/bin/hyperkit: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: proc 35751: load code signature error 4 for file "hyperkit"Following TN2318 I can see that the signature verification fails if I use the "Developer ID" identity, which notarization seems to require (?):$ codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' "/Library/Application Support/com.canonical.multipass/bin/hyperkit" /Library/Application Support/com.canonical.multipass/bin/hyperkit: valid on disk /Library/Application Support/com.canonical.multipass/bin/hyperkit: satisfies its Designated Requirement test-requirement: code failed to satisfy specified code requirement(s)If I use an "Apple Development" identity, the check completes:$ codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' "/Library/Application Support/com.canonical.multipass/bin/hyperkit" /Library/Application Support/com.canonical.multipass/bin/hyperkit: valid on disk /Library/Application Support/com.canonical.multipass/bin/hyperkit: satisfies its Designated Requirement /Library/Application Support/com.canonical.multipass/bin/hyperkit: explicit requirement satisfiedBut even then, the above "signature failed" failure occurs. Not to mention that files signed with that identity get rejected during notarization…Any pointers on what are we doing wrong?Thanks a bunch!