DriverKit: embedded.mobileprofile has the wildcard USB Vendor ID instead of my assigned Vendor ID

Question

Created 3w

Replies 2

Boosts 0

Participants 2

I've added my Vendor ID to the appropriate entitlement files but my binary fails validation when trying to upload it to the store for distribution. The embeded.mobileprovision file in the generated archive shows an asterisk instead of my approved Vendor ID. How can I make sure the embedded provisioning file has my Vendor ID?

Answered by DTS Engineer in 787624022

Hi,

First off, a bit of background:

The "*" value is used as a wildcard value, meaning "match anything" (in this case, any vendor ID). Note this does NOT mean that your drive will actually load/match against "any" device. DriverKit code signing restricts what your DEXT is eligible to match with, but the IOKit matching system is what controls what you'll ACTUALLY match with.
The "wildcard" entitlements are how the "DriverKit < > (Development)" variants are able to match against "any" device, however, they're also what's causing this problem:

my binary fails validation when trying to upload it to the store for distribution

Unfortunately, Xcode 15 has some issues with DriverKit signing (r.124720643). It doesn't understand the difference between the development entitlements and the production entitlements, so it ends up using the Development variant "everywhere". That then breaks when you try to export builds.

Here is what recommend:

-For development purposes, automatic code signing. That works fine right now and it isn't worth the trouble of trying to "fix" it.

-As part of these issues, Xcode may replace the specific entitlement value you define with the "*" value. This should only happen if you change your signing configuration, but be aware of the issue and that you may need to reset the value.

-When you export an archived build from the Organizer, "Custom..." as the initial export type, then "Manually Manage Signing" (later in the configuration sequence).

-You'll then specify the specific provisioning profile for each executable, which you'll generate using the developer portal. This article "Create a development provisioning profile" has an overview of that process.

Hopefully that's enough to sort this out for you but if you still need help or run into anything unexpected, I'd recommend opening a DTS tech support incident .

Kevin Elliott
DTS Engineer, CoreOS/Hardware

Boost

Answer 1

DTS Engineer OP

Apple

2w

Accepted Answer

Hi,

First off, a bit of background:

The "*" value is used as a wildcard value, meaning "match anything" (in this case, any vendor ID). Note this does NOT mean that your drive will actually load/match against "any" device. DriverKit code signing restricts what your DEXT is eligible to match with, but the IOKit matching system is what controls what you'll ACTUALLY match with.
The "wildcard" entitlements are how the "DriverKit < > (Development)" variants are able to match against "any" device, however, they're also what's causing this problem:

my binary fails validation when trying to upload it to the store for distribution

Unfortunately, Xcode 15 has some issues with DriverKit signing (r.124720643). It doesn't understand the difference between the development entitlements and the production entitlements, so it ends up using the Development variant "everywhere". That then breaks when you try to export builds.

Here is what recommend:

-For development purposes, automatic code signing. That works fine right now and it isn't worth the trouble of trying to "fix" it.

-As part of these issues, Xcode may replace the specific entitlement value you define with the "*" value. This should only happen if you change your signing configuration, but be aware of the issue and that you may need to reset the value.

-When you export an archived build from the Organizer, "Custom..." as the initial export type, then "Manually Manage Signing" (later in the configuration sequence).

-You'll then specify the specific provisioning profile for each executable, which you'll generate using the developer portal. This article "Create a development provisioning profile" has an overview of that process.

Hopefully that's enough to sort this out for you but if you still need help or run into anything unexpected, I'd recommend opening a DTS tech support incident .

Kevin Elliott
DTS Engineer, CoreOS/Hardware

1

Answer 2

statemachinejunkie OP

2w

Kevin, thank you so much for responding. My entire dev team just got together on a video call and spent 3 hours trying everything we could to figure this out. No personal reflection on you but Apple MUST do better. The information you provided above jives with most of what we discovered. The solution for us was to switch to automatic and also change the idVendor value from a String to a Number when moving from an wildcard value to a literal value. This appears to be necessary when putting a real Vendor ID in the entitlements file. This was a lot harder than it should have been.

0