Failed to run Endpoint Security client (signature invalid).

Hello,

We are developing application as an Endpoint Security client, and have a problem with running the signed and notarized code on macOS 10.15.4 with enabled SIP. Base code (ES client and callback handler) wrote on native C as static library, and linked with Golang console application. Then the binary signing by ‘Developer ID Application’ certificate with specified entitlements and Info.plist, packed into dmg and zip, successful notarized with stapling, and distributed (through inet) to a clean macOS where it trying to run.

Sign command (identifiers, private string and other personal data was replaced here and below):

export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
codesign --sign -vvv --timestamp --options=runtime --force --entitlements path.to.entitlements --identifier "com.example.appname" -s XXXXXXXXX path_to_application

Notarized by ‘xcrun altool …’ without any errors.

Entitlements:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>com.apple.application-identifier</key>

<string>TEAMIDXXXX.com.example.appname</string>

<key>com.apple.developer.endpoint-security.client</key>

<true/>

</dict>

</plist>

Info.plist:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>CFBundleDevelopmentRegion</key>

<string>English</string>

<key>CFBundleInfoDictionaryVersion</key>

<string>6.0</string>

<key>CFBundleExecutable</key>

<string>binaryname</string>

<key>CFBundleIdentifier</key>

<string>com.example.appname</string>

<key>CFBundleName</key>

<string>JustAppName</string>

<key>CFBundlePackageType</key>

<string>APPL</string>

</dict>

</plist>

codesign –verify … says:

valid on disk 
satisfies its Designated Requirement

spctl –assess -vvv … on target machine says:

path_to_app: accepted
source=Notarized Developer ID
origin=Developer ID Application: COMANYNAME (HASH)

But system killing the application immediately after start.

In ‘Crash Reports’ I see:

Exception Type:        EXC_CRASH (Code Signature Invalid)
Exception Codes:       0x0000000000000000, 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

Termination Reason:    Namespace CODESIGNING, Code 0x1

And in system.log I see:

May 18 13:05:40 HOST com.apple.xpc.launchd[1] (my.app.id.4776[96232]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating PATH_TO_EXECUTABLE:
              Code has restricted entitlements, but the validation of its code signature failed.
            Unsatisfied Entitlements:
May 18 13:05:40 HOST com.apple.xpc.launchd[1] (my.app.id.4776[96232]): Binary is improperly signed.

I tried signed, zipped and notarized just binary (without Info.plist); wrapped to .app directory structure, signed, zipped and notarized; wrapped to .app signed, wrapped to dmg (also signed) and notarized. In all cases I see same errors and failed to run the application.

So, what could be wrong in the workflow? Should we change signing parameters? Should we somehow change entitlements, or add some exotic fields to the Info.plist? Anything else?

By the way, could we even sign ES client just as single binary console utility without Info.plist?