User Profile

Hello, The application I'm working on has started requiring endpoint-security permissions. Before the changes it has followed signing (without additional entitlements) and ".pkg."-packaging processes for several years without issues. The Security Endpoint entitlement was requested and approved. After that "Security Extension" was enabled for the App ID we use. The build process (without Xcode) was updated to use the entitlement file during signing. After the update the signing and packaging steps were successful. The package can be installed without issues as well. Running the application results in an immediate "Killed: 9". During troubleshooting it turned out that even a dummy helloworld C binary behaves after signing the same way. The C code (just for reference): $ cat test.c #include <stdio.h> int main(void) { printf("Hello world\n"); return 0; } The entitlement file: $ cat entitlements.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> </dict> </plist> For signing we use keys imported to a temporary keychain from a developer profile (just for reference): security delete-keychain temp-keychain security create-keychain -p ******** temp-keychain security unlock-keychain -p ******** temp-keychain security list-keychains -d user -s login.keychain temp-keychain security import /path/to/developer/identities/<Developer ID Application>.p12 -k temp-keychain -P ******** -T /usr/bin/codesign -T /usr/bin/productsign temp-keychain security import /path/to/developer/identities/<Developer ID Installer>.p12 -k temp-keychain -P ******** -T /usr/bin/codesign -T /usr/bin/productsign temp-keychain security show-keychain-info temp-keychain security set-key-partition-list -S apple-tool:,apple: -s -k ******** temp-keychain security default-keychain Result: Without entitlements $ codesign -vvvvv -s "Developer ID Application: ..." --verbose --deep --force --timestamp --options=runtime test test: signed Mach-O thin (x86_64) [test] $ codesign -dv test Executable=/private/tmp/1/test Identifier=test Format=Mach-O thin (x86_64) CodeDirectory v=20500 size=304 flags=0x10000(runtime) hashes=4+2 location=embedded Signature size=9099 Timestamp=18 Aug BE 2564 23:37:54 Info.plist=not bound TeamIdentifier=XXXXXXXXXX Runtime Version=10.15.4 Sealed Resources=none Internal requirements count=1 size=164 $ codesign -d --entitlements :- test Executable=/private/tmp/1/test $ ./test Hello world With entitlements $ codesign -vvvvv -s "Developer ID Application: ..." --verbose --deep --force --timestamp --options=runtime --entitlements entitlements.plist test test: signed Mach-O thin (x86_64) [test] $ codesign -dv test Executable=/private/tmp/1/test Identifier=test Format=Mach-O thin (x86_64) CodeDirectory v=20500 size=400 flags=0x10000(runtime) hashes=4+5 location=embedded Signature size=9099 Timestamp=18 Aug BE 2564 23:40:00 Info.plist=not bound TeamIdentifier=XXXXXXXXXX Runtime Version=10.15.4 Sealed Resources=none Internal requirements count=1 size=164 $ codesign -d --entitlements :- test Executable=/private/tmp/1/test <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.endpoint-security.client</key> <true/> </dict> </plist> $ ./test Killed: 9 I'm under impression that missing something trivial but out of ideas already. Any piece of advice what should be verified is welcome.