Change in signing requirement for endpoint testing?

I wrote some endpoint code in November-December, and it was running fine since Dec 29.


This week I decided to make one little tweak, and launchd stopped launching the service (with a status of -9) when my GUI app tried to connect to it.


After a lot of trial & error, I discovered I have to manually code sign the endpoint binary now. I am almost certain I wasn't manually code signing in December.


Is this a recent feature with a Catalina update sometime in this past month?


Thanks,

Replies

Also noticed: when changing the mach service name (and bundle ID), I had to package the binary in a .pkg file and send it off to Apple to be notarized.


It looks like notarization is now enforced.

It looks like notarization is now enforced.

Notarisation is required for deployment. There’s two parts to this:

  • The app must be notarised for it to pass Gatekeeper.

  • The system extension must be notarised for it to be loaded (as the sysex is embedded inside the app, notarising the app also notarises the sysex).

For developerment you can relax the second requirement by disabling SIP.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I have SIP disabled.


I'll have to conduct some tests later to see if I can isolate why I was needing notarization or if I didn't and I just had some other error.


In my case, I am using the endpoint framework in a command-line tool launched by launchd based on a Mach Service request from the GUI app's extension. Yeah, it is a little complicated, a 3-tier architecture communicating over XPC services. Testing is getting complicated.


GUI app <--> embedded network system extension <--> endpoint system extension


The endpoint system extension program and corresponding launchd .plist file are bundled in a .pkg that I get notarized.


Right now everything is chugging along fine though.