1 Reply
      Latest reply on Aug 14, 2019 12:54 AM by eskimo
      Hexcode Level 1 Level 1 (0 points)

        Hello,

         

        Because our app has a Plugin system, I am trying to release a version that has both com.apple.security.get-task-allow and com.apple.security.cs.disable-library-validation entitements enabled (along with further entitlements).

         

        The disable library validation entitlement has been added to my entitlements file, and I have set CODE_SIGN_INJECT_BASE_ENTITLEMENTS = YES in my xcconfig file for both Release and Debug configurations.

         

        My codesigning settings are as follows:

         

        CODE_SIGN_IDENTITY = Developer ID Application

        DEVELOPMENT_TEAM = WUxxxxx46

        CODE_SIGN_STYLE = Manual

         

        I'm creating the archive as follows:

         

        xcodebuild -workspace S.xcworkspace -scheme S -sdk macosx -configuration Release archive -archivePath S.xcarchive -derivedDataPath ddd -xcconfig S/Configs/Final.xcconfig

         

        However when I run codesign on the resulting app, the get-task-allow entitlement is not present.

         

        codesign -d --entitlements :- S.xcarchive/Products/Applications/S.app/

         

        <?xml version="1.0" encoding="UTF-8"?>

        <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

        <plist version="1.0">

        <dict>

          <key>com.apple.security.application-groups</key>

          <array>

          <string>WUxxxx46.</string>

          </array>

          <key>com.apple.security.automation.apple-events</key>

          <true/>

          <key>com.apple.security.cs.allow-jit</key>

          <true/>

          <key>com.apple.security.cs.allow-unsigned-executable-memory</key>

          <true/>

          <key>com.apple.security.cs.disable-library-validation</key>

          <true/>

          <key>com.apple.security.personal-information.photos-library</key>

          <true/>

        </dict>

        </plist>

         

         

        If I add -showBuildSettings to the end of my xcarchive line, the output there does confirm that CODE_SIGN_INJECT_BASE_ENTITLEMENTS is set to YES.

         

        I've also had a look at the xcent file in the Intermediate build phase directory and get-task-allow isn't there either.

         

        Can anyone provide any insight as to what I'm doing wrong please?

         

        Thanks

         

        Heather.

        • Re: CODE_SIGN_INJECT_BASE_ENTITLEMENTS not adding com.apple.security.get-task-allow entitlement
          eskimo Apple Staff Apple Staff (12,455 points)

          My understanding is Code Signing Inject Base Entitlements is one of those ‘do the right thing’ build settings, and part of the ‘right thing’ in this case is to set the Get Task Allow entitlement on Debug builds but not Release builds.  If you want to set Get Task Allow on all builds, you should turn off Code Signing Inject Base Entitlements and then Get Task Allow to your .entitlements file.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"