“codesign”

The system applies the same code signing and library validation checks regardless of whether you import the library or load the library dynamically. I agree with Etresoft that importing the library is the better option, but if you can’t change that then it’s not a showstopper. As to why LLDB is hanging, I don’t have an easy answer to that. I suspect it’s some sort of code signing or library validation issue. I’m disinclined to chase that because: LLDB isn’t a great tool for debugging code signing and library validation issues. It has enough on its plate being a debugger. Once you work out what’s going wrong with the library loading, it’s likely that LLDB will just start working again. Anyway, just to get us on a firm footing, I decide to run a test: On macOS 14.7.1 using Xcode 16.1, I created a new macOS app project. I downloaded the disk image from your first post and extracted the OpenSSL libraries. I modified them to be rpath-relative, per the docs I referenced above. I’ve put the exact commands at the end

I thought an example of the command line output might be useful, so here is the output of my specific test app: Command: codesign -dvvv --ent :- HIDKeyboardApp.app Entitlement block at end of output: .... com.apple.application-identifierVKPFXJZWAV.com.appledts.kevine.KeyboardAppcom.apple.developer.system-extension.installcom.apple.developer.team-identifierVKPFXJZWAVcom.apple.security.app-sandboxcom.apple.security.files.user-selected.read-only Command: security cms -D -i HIDKeyboardApp.app/Contents/embedded.provisionprofile Entitlement block at end of output: .... Entitlements com.apple.developer.system-extension.install com.apple.application-identifier VKPFXJZWAV.com.appledts.kevine.KeyboardApp keychain-access-groups VKPFXJZWAV.* com.apple.developer.team-identifier VKPFXJZWAV ExpirationDate 2042-10-07T18:15:36Z Name Mac Team Direct Provisioning Profile: com.appledts.kevine.KeyboardApp ProvisionsAllDevices TeamIdentifier VKPFXJZWAV TeamName Kevin Elliott TimeToLive 6570 UUID 339032ce-3f1c-4b56

Stepping back for a moment, I think it's important to understand what's actually going on here. The starting point here is that there are two sets of data at work here: (1) Your Xcode project has a set of data about your app, particularly the entitlement list, which are embedded in the codes signature of your app. That data can actually be viewed with the command: codesign -dvvv --ent :- (2) The developer portal has a set of data about apps bundle ID, particularly the entitlement list, which is used to generate a provisioning profile which will be embedded inside your apps bundle. That data can actually be viewed with one of the following commands*: *iOS and macOS use slightly different names and locations, a fact which is annoying when you jump back and forth between platforms. I wrote a script years ago which simply tried all 4 possibilities and am now working hard to not remember which is which. security cms -D -i /embedded.mobileprovision security cms -D -i /embedded.provisionprofile security cm

Thanks for confirming that. I would expect this to work. When you use an iOS-style app group ID in a Mac Catalyst app, Xcode generates a provisioning profile to authorise that use. So this use falls under case D in App Groups: macOS vs iOS: Fight!. Consider this tiny test app I just created: % codesign -d --entitlements - Debug-maccatalyst/Test766580.app Executable=/Users/quinn/Library/Developer/Xcode/DerivedData/Test766580-beavevigoaauqrfhkfssttblupau/Build/Products/Debug-maccatalyst/Test766580.app/Contents/MacOS/Test766580 [Dict] … [Key] com.apple.security.application-groups [Value] [Array] [String] group.eskimo1.test [Key] com.apple.security.get-task-allow [Value] [Bool] true … % security cms -D -i Debug-maccatalyst/Test766580.app/Contents/embedded.provisionprofile | plutil -p - { … Entitlements => { … com.apple.security.application-groups => [ 0 => group.eskimo1.test ] … } … } Note the presence of com.apple.security.get-task-allow, showing that this is a development build. And that group

Thank you both for the responses. We have accomplished the Team Agent request for entitlements for PCI DriverKit - it looks like I am able to perform all other tasks necessary at my admin level on the developer portal. Following ssmith_c's advice, I was able to build, sign, notarize, and deploy a dext within a hosting application, the added export and manual selection seemed to be the difference I needed. However, I'm still encountering some issues with Xcode 15.2 when trying to make a distributable application that works with the dext (#3 of the software types listed above). One worked, and one seemed to not work. The not working one is crashing based on: Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature Using codesign to inspect the signature, it seems ok, but I likely am just not seeing the issue: daniek3@MacBook-Pro Project % codesign -dv --verbose=3 A

I dig into the issue, hence I have 2 executable files in the app under xxx.app/Contents/MacOS: M and N, M is in the Info.plist and is the CFBundleExecutable file, after signed the M with codesign, returns with this: signed app bundle with Mach-O thin (arm64) [CFBundleIdentifier]; otherwise, the N signed with codesign in the same way, returned with this: signed Mach-O thin (arm64) [N]. And I installed the APP on my machine, when I clicked the M executable file, seems it passed the gatekeeper, but I clicked the N, seems the gatekeeper check fails. I am not sure it's the reason.

Hello, I still get some errors: Process tccd Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={TCCDProcess: identifier=com.sampleApp.app, pid=72680, auid=502, euid=502, binary_path=[PATH_TO_APP]]}, requesting={TCCDProcess: identifier=com.apple.appleeventsd, pid=831, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd}, Process python3.11 flock failed to lock list file (): errno = 35 Basically the changes I made are: Used the code from 'Running a Child Process with Standard Input and Output', it works great, thanks! Made a Run script to sign the executable: codesign -s - -i com.sampleApp.app.Python -o runtime --entitlements $ENTITLEMENTS_PATH -f $BINARY_PATH And then created a copy build phase to place the executable in Executables destination. Code sign on copy is selected. (Verified that it is placed in MacOS folder, and correctly signed.) These are the Entitlemen