User Profile

It seems the extension is signed...can you help me figure out what is wrong here? Executable=/Library/SystemExtensions/34B35D7A-4544-4CE1-BEB1-E32288BBEFA4/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension Identifier=com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension Format=bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=814 flags=0x10000(runtime) hashes=13+7 location=embedded VersionPlatform=1 VersionMin=720896 VersionSDK=786688 Hash type=sha256 size=32 CandidateCDHash sha256=6db8ab895938ee314fbfc13c499039a686e16ed8 CandidateCDHashFull sha256=6db8ab895938ee314fbfc13c499039a686e16ed8028605163e830d7fd01d3806 Hash choices=sha256 CMSDigest=6db8ab895938ee314fbfc13c499039a686e16ed8028605163e830d7fd01d3806 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=16384 Executable Segment flags=0x1 Page size=4096 CDHash=6db8ab895938ee314fbfc13c499039a686e16ed8 Signature size=4796 Authority=Apple Development: Darrell Burns (Z28Q26L68P) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=Jun 24, 2022 at 9:20:55 AM Info.plist entries=22 TeamIdentifier=AMLU8UA7F6 Runtime Version=12.1.0 Sealed Resources version=2 rules=13 files=1 Internal requirements count=1 size=232 sh-3.2# codesign -vvv com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension  com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: valid on disk com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: satisfies its Designated Requirement

Thank you. I was able to fix the signing, and build the sample. I deployed it following the instructions at Monitoring System Events with Endpoint Security. It is still not working! 2022-06-24 10:03:41.336276-0700 0x2afd13a Error 0x0 10092 0 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Disallowing: com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension 2022-06-24 10:03:41.336858-0700 0x2afd136 Default 0x0 58495 0 amfid: /Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension signature not valid: -67671 2022-06-24 10:03:41.336976-0700 0x2afd31d Default 0x0 0 0 kernel: mac_vnode_check_signature: /Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: code signature validation failed fatally: When validating /Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: 2022-06-24 10:03:41.337005-0700 0x2afd31d Default 0x0 0 0 kernel: proc 10165: load code signature error 4 for file "com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension" 2022-06-24 10:03:41.337947-0700 0x2afd31e Default 0x0 0 0 kernel: com.example.apple-samplecode.Sam[10165] Corpse allowed 1 of 5 2022-06-24 10:03:43.610407-0700 0x2afd13d Default 0x0 74723 0 ReportCrash: Formulating fatal 309 report for corpse[10165] com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extensi 2022-06-24 10:03:43.612784-0700 0x2afd13d Default 0x0 74723 0 ReportCrash: Unable to find store record for 'file:///Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/': Error Domain=NSOSStatusErrorDomain Code=-10811 "kLSNotAnApplicationErr: Item needs to be an application, but is not" UserInfo={_LSLine=175, _LSFunction=_LSFindBundleWithInfo_NoIOFiltered} 2022-06-24 10:03:43.628775-0700 0x2afd13d Default 0x0 74723 0 ReportCrash: com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension is not a MetricKit client 2022-06-24 10:03:43.629125-0700 0x2afd13d Default 0x0 74723 0 ReportCrash: (CoreAnalytics) [com.apple.CoreAnalytics.stability-event:event-send] Sending event: com.apple.stability.crash {"bundleID":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension","bundleVersion":"1","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n 0,\n 0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"81CBD9E8-3A8D-4A7A-88CF-628648696D26","logwritten":0,"process":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extensi","terminationReasonExceptionCode":"0x1","terminationReasonNamespace":"CODESIGNING"} 2022-06-24 10:03:43.630773-0700 0x2afd1fc Default 0x0 221 0 analyticsd: [com.apple.CoreAnalytics.stability-event:event-recv] Received event: com.apple.stability.crash {"bundleID":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension","bundleVersion":"1","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n 0,\n 0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"81CBD9E8-3A8D-4A7A-88CF-628648696D26","logwritten":0,"process":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extensi","terminationReasonExceptionCode":"0x1","terminationReasonNamespace":"CODESIGNING"} 2022-06-24 10:03:43.631178-0700 0x2afd1fc Default 0x0 221 0 analyticsd: [com.apple.CoreAnalytics.stability-event:event-aggregated] Aggregated. Transform: StabilityC

I have not been able to get past the build step even with the Apple developer ID: Xcode produces this output: Showing All Messages CodeSign /Users/dburns/Library/Developer/Xcode/DerivedData/SampleEndpointApp-gluqgtgmgmygtkhgptdeksvjhymc/Build/Products/Debug/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension (in target 'Extension' from project 'SampleEndpointApp')   cd /Users/dburns/Downloads/MonitoringSystemEventsWithEndpointSecurity   export CODESIGN_ALLOCATE\=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate       Signing Identity:   "Apple Development: Darrell Burns (Z28Q26L68P)"   Provisioning Profile: "Mac Team Provisioning Profile: *"              (122c0ef2-e0dd-46ba-aaf0-e328878c59ba)       /usr/bin/codesign --force --sign B841650ADB2CD18298DB8682592DEE4D546B3A81 -o runtime --entitlements /Users/dburns/Library/Developer/Xcode/DerivedData/SampleEndpointApp-gluqgtgmgmygtkhgptdeksvjhymc/Build/Intermediates.noindex/SampleEndpointApp.build/Debug/Extension.build/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension.xcent --timestamp\=none --generate-entitlement-der /Users/dburns/Library/Developer/Xcode/DerivedData/SampleEndpointApp-gluqgtgmgmygtkhgptdeksvjhymc/Build/Products/Debug/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension B841650ADB2CD18298DB8682592DEE4D546B3A81: no identity found Command CodeSign failed with a nonzero exit code Having verified that the signing identity is actually there, and valid, not sure what else to do: Policy: X.509 Basic  Matching identities  1) EED3A8A1BF2EA9067467F2114813C5A0F50D5F01 "Developer ID Application: Fidelis Cybersecurity, INC (AMLU8U****)"  2) 2059C6EC07FD91BB9AC933E5059BE41374E2103C "Apple Development: Darrell Burns (Z28Q26L68P)"    2 identities found  Valid identities only  1) EED3A8A1BF2EA9067467F2114813C5A0F50D5F01 "Developer ID Application: Fidelis Cybersecurity, INC (AMLU8U****)"  2) 2059C6EC07FD91BB9AC933E5059BE41374E2103C "Apple Development: Darrell Burns (Z28Q26L68P)"    2 valid identities found

Yes, it is correct. Here is the email I received: Hello, Your request to use Endpoint Security was approved. You will need to enable two capabilities for your Bundle ID. Click Identifiers in the sidebar, then select the Mac App ID that you will use for Endpoint Security. Under Capabilities, enable System Extension. Under Additional Capabilities, enable Endpoint Security. Click Save in the top-right of the page, review the alert that appears, and confirm if you accept the changes. Then generate a new provisioning profile for your App ID by clicking Profiles in the sidebar and the Add button (+) in the upper-left corner. Once your profile has been created, you'll need to configure your Xcode project for manual code signing. If your Xcode project doesn't already have an entitlements file, create a new property list file and change its extension from .plist to .entitlements. Add the keys and values of the entitlements used in your project to the .entitlements file, then follow the rest of the Xcode manual signing process. For troubleshooting, see Technote 2415 Entitlements Troubleshooting and Debugging Entitlement Issues. If you need additional support, visit the Apple Developer Forums or submit a Technical Support Incident. Best regards, Apple Developer Relations I am using the correct developer ID signing certificate for both the app and the extension: Having gone through this process three times now, with the same results, and I'm sure something is missing in the documentation. Obviously, someone has been able to run this prior to my attempts.

Yes, and I have enabled it in the identifier for this sample:

It doesn't look like it: ps ajxww|grep -i sysex|grep -v grep root 6290 1 6290 0 0 Ss ?? 0:00.16 /System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd ps ajxww|grep -i endpoint|grep -v grep root 75 1 75 0 0 Ss ?? 0:00.02 endpointsecurityd I don't believe I have seen an ES man page, and that link you added doesn't take you there either.

I have this working now. First, I changed my code structure: ProtectOnAccess.app ProtectOnAccess.app/Contents ProtectOnAccess.app/Contents/_CodeSignature ProtectOnAccess.app/Contents/_CodeSignature/CodeResources ProtectOnAccess.app/Contents/MacOS ProtectOnAccess.app/Contents/MacOS/ProtectOnAccess ProtectOnAccess.app/Contents/Resources ProtectOnAccess.app/Contents/Resources/Info.plist ProtectOnAccess.app/Contents/embedded.provisionprofile ProtectOnAccess.app/Contents/Info.plist ProtectOnAccess.app/Contents/PkgInfo I removed these folders: ProtectOnAccess.app//Contents/_CodeSignature/CodeDirectory ProtectOnAccess.app//Contents/_CodeSignature/CodeRequirements-1 ProtectOnAccess.app//Contents/_CodeSignature/CodeSignature ProtectOnAccess.app//Contents/_CodeSignature/CodeRequirements Next thing I had to do was change my executable name from protect_am to ProtectOnAccess in order to match what was in the CFBundleExecutable property in Info.plist. Finally, when copying my code to the Application Support folder, I needed to remove what was there previously and then copy in the new application. This assigns a new inode to the files, which avoids a bug where the cached kernel copy of the executable is not refreshed. Thanks, Quinn!

I have created and downloaded several profiles, but XCode always complains that the profile does not include the signing certificate! Not sure what I'm doing wrong. I have the signing cert and private key in my keychain. What am I missing?

I am using sudo -su I did not add "com.apple.developer.team-identifier" to my entitlements. I am using xcode to build and archive, but I am manually signing and notarizing. I created a disk image using a script I found in another of your posts: (Manual Code Signing Example) Here is some more information on the executable: #codesign -dv --verbose=4 ./DaemonInAppsClothing Executable=/Library/Application Support/DaemonInAppsClothing/DaemonInAppsClothing.app/Contents/MacOS/DaemonInAppsClothing Identifier=Fidelis.DaemonInAppsClothing Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=1032 flags=0x10000(runtime) hashes=21+7 location=embedded VersionPlatform=1 VersionMin=786688 VersionSDK=786688 Hash type=sha256 size=32 CandidateCDHash sha256=8a7f854608607af4862cc81643c9a694e645b990 CandidateCDHashFull sha256=8a7f854608607af4862cc81643c9a694e645b990a283366dce26b3000f6bff05 Hash choices=sha256 CMSDigest=8a7f854608607af4862cc81643c9a694e645b990a283366dce26b3000f6bff05 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=32768 Executable Segment flags=0x1 Page size=4096 CDHash=8a7f854608607af4862cc81643c9a694e645b990 Signature size=9003 Authority=Developer ID Application: Fidelis Cybersecurity, INC (AMLU8UA7F6) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Feb 28, 2022 at 10:12:08 AM Info.plist entries=20 TeamIdentifier=AMLU8UA7F6 Runtime Version=12.1.0 Sealed Resources version=2 rules=13 files=944 Internal requirements count=1 size=64 So I think somehow it does know my identity, but something I changed recently won't let it run on 11.X. It now tells me I need version 12.1 or newer for this app.