Endpoint security system extension signature error

Hello,


we are developing Endpoint Security system extension (SE). What is said in https://forums.developer.apple.com/thread/125048 with SIP disabled. With SIP enabled the SE crashes with signature error. The SE is signed and notarized, and our certificate has the com.apple.developer.endpoint-security.client entitlement, so this should be in order.


When I examine the logs, I see this:

default11:40:54.534883+0200sysextdstarting extension com.***.endpoint via owning category
error11:40:54.536446+0200endpointsecuritydThe extension from <decode: missing data> (<decode: missing data>) is using the deprecated default mach service name. Please update the extension to set the <decode: missing data> key in the Info.plist file.
default11:40:54.541284+0200sysextdExtension point confirmed that extension com.***.endpoint is runnable.
default11:40:54.541347+0200sysextdchanging state of extension com.***.endpoint to activated_enabled.
default11:40:54.541601+0200kernelproc 11438: load code signature error 4 for file "com.***.endpoint"


It seems that some value is missing in Info.plist, which sets the mach service name. I see that for Network System Extension there exists the key NEMachServiceName in Info.plist, is there anything equivalent for Endpoint Security? Or is there something else missing in the Info.plist:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>CFBundleDevelopmentRegion</key>

<string>$(DEVELOPMENT_LANGUAGE)</string>

<key>CFBundleDisplayName</key>

<string>endpoint</string>

<key>CFBundleExecutable</key>

<string>$(EXECUTABLE_NAME)</string>

<key>CFBundleIdentifier</key>

<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>

<key>CFBundleInfoDictionaryVersion</key>

<string>6.0</string>

<key>CFBundleName</key>

<string>$(PRODUCT_NAME)</string>

<key>CFBundlePackageType</key>

<string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string>

<key>CFBundleShortVersionString</key>

<string>1.0</string>

<key>CFBundleVersion</key>

<string>1</string>

<key>LSMinimumSystemVersion</key>

<string>$(MACOSX_DEPLOYMENT_TARGET)</string>

<key>NSHumanReadableCopyright</key>

<string>$(ES_COPYRIGHT)</string>

<key>NSSystemExtensionUsageDescription</key>

<string>$(ES_USAGE_DESCRIPTION)</string>

</dict>

</plist>


Thank you,

Dan

Up vote post of dan1922 Down vote post of dan1922
1.6k views
Posted by
dan1922
Reply
Add a Comment

Replies

I have these 3 settings (edited to protect the innocent)


<key>NSEndpointSecurityMachServiceName</key>

<string>My Bundle ID here</string>

<key>NSEndpointSecurityRebootRequired</key>

<false/>

<key>NSEndpointSecurityEarlyBoot</key>

<true/>


Not sure if you need or want them all.

Posted by
mdolan
Up vote reply of mdolan Down vote reply of mdolan
Add a Comment

Hello mdolan,


adding NSEndpointSecurityMachServiceName seems to have helped something, because I longer get the error log from endpointsecurityd about the missing value in Info.plist. However, the system extension still crashes and the only error log I see is:


Default 0x0 0 0 kernel: proc 1763: load code signature error 4 for file "com.***.endpoint"


I have no clue what's wrong here. I guess I'll reexamine the entitlements and provisioning profile again. Have you been able to load the system extension with SIP enabled?

Posted by
dan1922
Up vote reply of dan1922 Down vote reply of dan1922
Add a Comment

I'm glad I could help with the MachServiceName, good luck with the rest. Took me many days and attempts (wiping out all certs/app ids/profiles and creating them again and again) to get something that would build and run successfully. I got it running with SIP disabled first and was able to get everything stable, it took 2 months to get approval from Apple to give my personal account the endpoint security entitlement to run with SIP enabled. The only problem I had there was that my test VM wasn't in my device list, therefore not in the provisioning profile. When I tried to run it there, it wouldn't work. Not sure of the exact error. That was a couple of weeks ago. Just look at any and all logs, all the different forums here (especially posts by eskimo), and try to read between the lines.


Again, good luck!

Posted by
mdolan
Up vote reply of mdolan Down vote reply of mdolan
Add a Comment

OK, so the issue was on our side. Our signing server with distribution certificate automatically appended some additional entitlements to bundle / binary when signing with hardened runtime was requested. This caused the entitlements mismatch between the binary itself and the provisioning profile.


So when anyone else gets the load signature error then make sure that the entitlements inside the system extension and entitlements inside the provisioning profile match.

Posted by
dan1922
Up vote reply of dan1922 Down vote reply of dan1922
Add a Comment