My AppleScript .app bundle contains a helper executable. Table 3 of TN2206 says that executables may be in either Contents/MacOS or Contents/Helpers, but Quinn's first reply in this post says that Contents/MacOS is better. So I put the helper in Contents/MacOS, alongside applet. I sign the AppleScript .app bundle for Developer ID and Hardened Runtime by running the codesign command with arguments recommended by Quinn in this post. Result: Notary Service rejects the .app bundle due to 3 issues with the helper: is not signed with a valid Developer ID certificate does not include a secure timestamp does not have the hardened runtime enabled (Possibly it still has a years-old signature without Developer ID and Hardened Runtime). So it seems that the the helper is not being (re-)signed. If, instead of signing the .app bundle, I run Quinn's codesign comand twice, once on the applet and once on the second executable, then Notary Service is happy with the bundle. I was hoping that, after all these years, codesign is now smart enough to find and sign all of the executables inside a bundle. Both executables are x86_64 non-fat (I guess I should fatten those) and I have installed Xcode 15.1 Beta. Should I file a bug, or am I doing something wrong?

I'm using macdeployqt with codesigning. At the end of deploying, macdeployqt fails codesign verification: ERROR: codesign verification error: ERROR: "strawberry.app: code has no resources but signature indicates they must be present\nIn subcomponent: /Users/jonas/Projects/strawberry/build/strawberry.app/Contents/Frameworks/QtGui.framework\n" Same thing happens when running codsign verification manually after macdeployqt is finished: jonas@ni214 build % codesign --deep -v strawberry.app strawberry.app: code has no resources but signature indicates they must be present In subcomponent: /Users/jonas/Projects/strawberry/build/strawberry.app/Contents/Frameworks/QtGui.framework The file structure looks like this: jonas@ni214 build % find strawberry.app/Contents/Frameworks/QtGui.framework strawberry.app/Contents/Frameworks/QtGui.framework strawberry.app/Contents/Frameworks/QtGui.framework/Resources strawberry.app/Contents/Frameworks/QtGui.framework/Versions strawberry.app/Contents/Frameworks/QtGui.framework/Versions/A strawberry.app/Contents/Frameworks/QtGui.framework/Versions/A/Resources strawberry.app/Contents/Frameworks/QtGui.framework/Versions/A/Resources/Info.plist strawberry.app/Contents/Frameworks/QtGui.framework/Versions/A/QtGui strawberry.app/Contents/Frameworks/QtGui.framework/Versions/Current strawberry.app/Contents/Frameworks/QtGui.framework/QtGui This is Qt 6.5.2 built from source on macOS Ventura. Looks like codesign verificantion fails on all Qt modules, it's just random which one it fails on first. Is this a bug in macdeployqt? Jonas

I'm attempting to notarize and distribute a game built with Love2D. Love2D is an engine which runs games written in Lua and bundled into .love files, which are identical to .zip files. Packaging a game for Mac distribution involves cloning the Love2D Xcode project, providing your built game.love file (the zipped game content), and then signing and notarizing as with any other Mac app (see more on the Love2D wiki: https://love2d.org/wiki/Game_Distribution#Creating_a_macOS_Application). I'm encountering an issue because my game contains compiled C binaries which the game loads at runtime. These binaries are compiled for MacOS x86 and arm64, and work perfectly in development. I am able to successfully build and sign the game with my Developer ID Application certificate and provisioning profile, but notarization of the game fails because the compiled C binaries are not signed; below is an excerpt from the audit log: { "severity": "error", "code": null, "path": "Bang_Average_Football.zip/love.app/Contents/Resources/game.love/deps/gifcatlib_arm64.so", "message": "The binary is not signed with a valid Developer ID certificate.", "docUrl": "https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues#3087721", "architecture": "arm64" }, I can sign these binaries using codesign and the same certificate as the Mac app like so (with the correct name): codesign --sign "Developer ID Application: Firstname Lastname" --verbose=4 gifcatlib_arm64.so After signing the binaries, the app successfully builds, and is notarized successfully without reporting any code signing issues. Hooray! The issue is that the app doesn't actually run and crashes as soon as it attempts to use any of the now-signed binaries complaining that they haven't been signed correctly. Here's a link to the full crash log; the specific error is below: Exception Type: EXC_BAD_ACCESS (SIGKILL (Code Signature Invalid)) Exception Codes: UNKNOWN_0x32 at 0x000000010a9c8000 Exception Codes: 0x0000000000000032, 0x000000010a9c8000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace CODESIGNING, Code 2 The same error occurs even with Hardened Runtime disabled and 'Disable Library Validation' enabled. Is there a likely cause of this crash? Why does notarization succeed but the app essentially instacrashes? Have I signed the binaries incorrectly? Is what I'm attempting not actually possible? (can signed and unsigned binaries not really be hotswapped like this?) Please let me know if there's any more information I should provide. Thanks, Ruairi

I signed my application in MacOS 13.4, and the signed objects include all the binary files I compiled myself, and notarizing also works. It can also run normally on my version 13.4 Mac. However, when I copied this application to a computer with Mac OS version 11.3, it couldn't run properly. Dlopen will generate an error message, indicating that some of the dynamic libraries called by the program do not match the signature of the program itself. These dynamic libraries are from JRE, so I re-signed them and notarizing also works. In MacOS 13.4, it still runs normally, but in MacOS 11.3, it will report another error: Error occurred during initialization of VM Could not reserve enough space for code cache What is the reason for this and how should I handle it? Thank you in advance for any comments on this issue.

I'm running into a code signing issue with an (existing) app that I recently started working on. I haven't run into this problem with other apps built on the same computer using the same framework (Capacitor). When I try to build the app from Xcode, either to run on a linked iPhone or to archive/publish, I get the error message: "Command PhaseScriptExecution failed with a nonzero exit code" That script fails when running /usr/bin/codesign and shows the message errSecInternalComponent. I tried running the same command directly in the terminal and got the same error message. I started going through this forum post and the initial sanity check failed. I ran this from a local terminal, not over ssh or inside tmux. I didn't get any dialog prompts when running it, though that may make sense since I was already logged in: $ cp /usr/bin/true MyTrue $ codesign -s "Apple Development: ..." -f MyTrue MyTrue: replacing existing signature MyTrue: errSecInternalComponent $ echo $? 1 The identity I attempted to use is listed by security find-identity -p codesigning in both the "Matching identities" and "Valid identities only" sections. Keychain Access shows that the certificate is valid. I've tried restarting the computer. I've tried cleaning the build folder from Xcode. Any other suggestions for diagnosing and/or fixing the problem?

Hi folks I am struggling with following scenario: We have an app implemented in Java (Parent app). From this parent app I would like to call .app that is implemented in Swift (Child app). We are trying to build package that can be distributed in Appstore using Install4j, partially with success. The app can be validated and distributed in TestFlight, however when we are trying to open child app, nothing happens. The app does not open. I am not sure if we do correct signing BECAUSE, when we initially distributed the app outside AppStore, Child App was signed with Developer ID Application and it did work correctly. How should we sign all apps? Is there any other way that we can pack this scenario without using Install4j?

Dear Apple Support Team, I hope this message finds you well. We are currently experiencing an issue with product signing on our build machine, specifically when utilising the productsign command. I would like to provide some context and seek your guidance on potential solutions. We have developed a Mac product. We employ the following productsign command to sign our package: productsign --sign "Developer ID Installer: MyCompany, LLC (12345678)" My.pkg Mysigned.pkg This process functions seamlessly on our local machines. However, when attempting the same operation on our build machine, we consistently encounter the following error: 2023-09-29 04:39:54.925 productsign[98404:549470] SignData failed: Error Domain=NSOSStatusErrorDomain Code=-25308 "CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION" (errKCInteractionNotAllowed / errSecInteractionNotAllowed: / Interaction is not allowed with the Security Server.) UserInfo={numberOfErrorsDeep=0, NSDescription=CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION} Error signing data. productsign: error: Failed to sign the product. It has come to our attention that the build machine utilizes SSH for code signing, which appears to be a contributing factor to this issue. We have researched this matter and found several threads suggesting that unlocking the keychain before signing the product may resolve the problem. However, we are eager to explore alternative solutions and any updates or recommendations you may have. Could you kindly advise if there are additional steps or configurations we should consider to address this issue? We would greatly appreciate any guidance you can provide on this matter. Warm regards, skappdevloper

Hey everyone, while trying to codesign a x86_64 Python app using an arm64 system, I often stumble across an rosetta error like the one depicted down here: rosetta error: unable to mmap __TEXT: 1 /var/db/oah/.../.../libomp.dylib.aotzsh: abort PYTORCH_ENABLE_MPS_FALLBACK=1 ./diarize_x86_64 mps This happens after I codesign the app and then try to run it in a Rosetta2 zsh. This thread is not about the error itself (since I am trying to solve it somewhere else). It is about making this rosetta error more verbose so we can actually work with it. If I run this app/executable on a native x86_64 system, the error is much more informative (and it can actually be debugged): error dlopen(/var/folders/ws/***/T/yyy/sklearn/__check_build/_check_build.cpython-39-darwin.so, 2): Library not loaded: @rpath/libomp.dylib Referenced from: /var/folders/ws/***/T/yyy/sklearn/__check_build/_check_build.cpython-39-darwin.so Reason: no suitable image found. Did find: /private/var/folders/ws/***/T/yyy/sklearn/__check_build/../../libomp.dylib: code signing blocked mmap() of '/private/var/folders/ws/***/T/yyy/sklearn/__check_build/../../libomp.dylib' ___________________________________________________________________________ Contents of /var/folders/ws/***/T/yyy/sklearn/__check_build: __init__.py __pycache__ _check_build.cpython-39-darwin.so ___________________________________________________________________________ It seems that scikit-learn has not been built correctly. If you have installed scikit-learn from source, please do not forget to build the package before using it: run `python setup.py install` or `make` in the source directory. If you have used an installer, please check that it is suited for your Python version, your operating system and your platform. It would be great, if we could get this output using a Rosetta2 zsh with an arm64 system, because the simple rosetta error is hard (or impossible) to debug. Is there a way to do this?

I have an app I'm building for both iOS and MacOS using a common swift code base. I've been successful to upload the iOS version to the App Store and run beta testing. I'm now at the point of doing the same with Mac OS and I'm not getting the App Store validation to pass on my archive validation. I have a developer ID, entitlements set and it seems like all is well until I run the validation: Invalid Provisioning Profile. The provisioning profile included in the bundle org.boltontek.Jam-It-Up [org.boltontek.Jam-It-Up.pkg/Payload/Jam It Up.app] is invalid. [Invalid 'com.apple.application-identifier' entitlement value.] For more information, visit the macOS Developer Portal. (ID: 79b53a46-2501-4559-a14c-7bbeaf34ebd6) Where exactly do I go to get this more information? I'd love to know what the invalid entitlement is.

Context : I'm developing a python app with Tkinter GUI on a 2020 M1 Macbook Air. I have already built, signed, and notarized the app successfully on the native arm64 architecture - so far so good. Now I am trying to do the same for x86_64, on the same machine. I've built a conda environment for x86_64, built the app with pyinstaller, and verified that it runs when I double-click on AppName.app. So far so good. The problem happens when I sign it. After signing with the same command I used for the arm64 version: codesign -s "Developer ID Application: MY_CERTIFICATE_NAME" -v --deep --timestamp --entitlements entitlements.plist -o runtime "dist/MyAppName.app" --force Entitlements file just sets com.apple.security.cs.allow-unsigned-executable-memory to true - apparently necessary for python programs. The app now crashes when I double-click. The crash-log contains the line: Termination Reason: Namespace ROSETTA, Code 0 rosetta error: unable to mmap __TEXT: 1 /var/db/*/libffi.8.dylib.aot When I try to run from command line with ./projects/eagle_eyes_video_scanner/dist/EagleEyesScan.app/Contents/MacOS/main I get another error: rosetta error: unable to mmap __TEXT: 1   /var/db/oah/ffdfb26a8f1f835406614fae08b99665733faafa40599b6bc0aace0981564015/4893345e2743c970aa1c71f137e03f8e791c82b6b7354da038bebfac5673be73/libffi.8.dylib.aotzsh: abort   ./projects/eagle_eyes_video_scanner/dist/EagleEyesScan.app/Contents/MacOS/mai I don't know if this libffi is central to the problem or just the first thing to fail. So, how can I sign my app without breaking it?

Hello, I want to modify app bundle for my macbook air, but having some troubles. If I try to sign with my dev certificate (created with xcode) - invalid signature error appeared: /Applications/Foo.app/Contents/MacOS/Foo not valid: Error Domain=AppleMobileFileIntegrityError Code=-423 "The file is adhoc signed or signed by an unknown certificate chain" UserInfo={NSURL=file:///Applications/Foo.app/Contents/MacOS/Foo, NSLocalizedDescription=The file is adhoc signed or signed by an unknown certificate chain} If I modify mach-o binary in folder - app can not be started So what I should to do? Thanks!

macOS allows you to independently distribute a Network Extension using Developer ID signing, but with an important wrinkle. This post explains that wrinkle, its affect on Xcode, and how you get around it. If you have questions or comments, put them in a new thread here on DevForums. Tag it with Network Extension so that I see it. Share and Enjoy — Quinn “The Eskimo!” @ Developer Technical Support @ Apple let myEmail = "eskimo" + "1" + "@" + "apple.com" Exporting a Developer ID Network Extension macOS supports a variety of Network Extension (NE) provider types. Starting with macOS 10.15, it’s possible to distribute an app containing NE providers independently, using Developer ID signing. See TN3134 Network Extension provider deployment for the full list of supported provider types. For your NE provider to work when distributed independently, it must: Be packaged as a system extension. Use Developer ID specific entitlements This post is focused on that second point, because it’s common source of confusion. This post assumes that you’re building your app with Xcode; if you’re building your app outside of Xcode, you’ll have to adapt these steps to your build system. Entitlement Matters A Network Extension system extension and its container app must be signed with the Network Extension entitlement (com.apple.developer.networking.networkextension). That entitlement is an array, with a variety of different element values based on the provider type. For example, a standard NE content filter provider must include the content-filter-provider value. There are two groups of these values: the standard ones and the ones with the -systemextension suffix. During development and for App Store distribution, use the appropriate standard value. For independent distribution using Developer ID, use the corresponding value with the -systemextension suffix. For example, a Developer ID signed NE content filter must use content-filter-provider-systemextension instead of content-filter-provider. Xcode Issues Xcode is currently not aware of this requirement. If you build your NE provider container app using Xcode, you might expect to export it for independent distribution using the Direct Distribution workflow in the Xcode organiser. This does not work (r. 108838909). To get around this, manually export your app from your Xcode archive. Before attempting that, there’s a few things to confirm: By default Xcode’s Signing & Capabilities editor uses the standard values for the NE entitlement. Leave them that way. During day-to-day development it’s best to use an Apple Development signing identity [1], and the standard values work with that. Continue to use Build > Archive [2] to create an Xcode archive for your product. The steps below replace the Direct Distribution workflow, and they assume you’re starting with an Xcode archive. [1] Don’t use Developer ID for day-to-day development; see The Care and Feeding of Developer ID for more on that topic. [2] Or, if you’re automating this, the archive action in xcodebuild. Assemble Your Assets Imagine you’re working on a content filter for the Mac called WaffleFilter. You’ve used Xcode to build the app into an Xcode archive: % ls "WaffleFilter.xcarchive／Products／Applications" WaffleFilter.app That app is development signed: % codesign -d -vvv "WaffleFilter.xcarchive／Products／Applications／WaffleFilter.app" … Authority=Apple Development: … … IMPORTANT The steps in this section are based on the much more comprehensive instructions in Creating Distribution-Signed Code for Mac. If anything is unclear, read that post for clarification. To re-sign this app for independent distribution you’ll need three things: A Developer ID application signing identity. This is named Developer ID Application: TTT, where TTT identifies your team. A Developer ID provisioning profile for the app. In this example I’ve called this WaffleFilter_Dev_ID.provisionprofile. A Developer ID provisioning profile for the system extension. In this example I’ve named this WaffleFilter_WFProvider_DevID.provisionprofile. If you’re not sure how to create these things, see Developer Account Help. Re-sign the App To start, make a copy of the app: % ditto "WaffleFilter.xcarchive／Products／Applications／WaffleFilter.app" "WaffleFilter.app" Dump the entitlements of the app and its embedded system extension: % codesign -d --entitlements "WaffleFilter.entitlements" --xml "WaffleFilter.app" % codesign -d --entitlements "WaffleFilter_WFProvider.entitlements" --xml "WaffleFilter.app／Contents／Library／SystemExtensions／com.example.apple-samplecode.WaffleFilter.WFProvider.systemextension" And reformat them to make them more readable: % plutil -convert xml1 "WaffleFilter.entitlements" % plutil -convert xml1 "WaffleFilter_WFProvider.entitlements" Now edit these files to add the -systemextension suffix. The result will look something like this: % cat "WaffleFilter.entitlements" … ＜dict＞ … ＜key＞com.apple.developer.networking.networkextension＜／key＞ ＜array＞ ＜string＞content-filter-provider-systemextension＜／string＞ ＜／array＞ … ＜／dict＞ ＜／plist＞ % cat "WaffleFilter_WFProvider.entitlements" … ＜dict＞ … ＜key＞com.apple.developer.networking.networkextension＜／key＞ ＜array＞ ＜string＞content-filter-provider-systemextension＜／string＞ ＜／array＞ … ＜／dict＞ ＜／plist＞ Before you re-sign with these entitlements, replace the embedded provisioning profiles with their Developer ID profiles variants: % cp "WaffleFilter_Dev_ID.provisionprofile" "WaffleFilter.app／Contents／embedded.provisionprofile" % cp "WaffleFilter_WFProvider_DevID.provisionprofile" "WaffleFilter.app／Contents／Library／SystemExtensions／com.example.apple-samplecode.WaffleFilter.WFProvider.systemextension／Contents／embedded.provisionprofile" Now re-sign the app and the system extension with their new entitlements, from the inside out: % codesign -s "Developer ID Application" -f --entitlements "WaffleFilter_WFProvider.entitlements" --timestamp -o runtime "WaffleFilter.app／Contents／Library／SystemExtensions／com.example.apple-samplecode.WaffleFilter.WFProvider.systemextension" WaffleFilter.app／Contents／Library／SystemExtensions／com.example.apple-samplecode.WaffleFilter.WFProvider.systemextension: replacing existing signature % codesign -s "Developer ID Application" -f --entitlements "WaffleFilter.entitlements" --timestamp -o runtime "WaffleFilter.app" WaffleFilter.app: replacing existing signature If you have multiple Developer ID Application signing identities, you’ll need to replace Developer ID Application with the name of the specific identity you want to use. IMPORTANT If your app contains other code items, like frameworks or an app extension, re-sign those as well. For advice on how to manually re-sign a more complex app, see Creating Distribution-Signed Code for Mac. And you’re done! Manually Notarise Xcode’s Direct Distribution workflow also deals with notarisation. As you’re not using that workflow, manually notarise your app. For advice on how to do that, see Customizing the notarization workflow. You should also look at Packaging Mac Software for Distribution, which has a bunch of general info about packaging Mac apps.

I am putting together a demo app that will pick up keychain items shared via Keychain Access Groups (or Shared Items Groups, as described here). Sadly, I'm getting the infamous -34018 A required entitlement isn't present error when trying to load successfully saved items from main app A into my demo app B via SecItemCopyMatching. From everything I can tell -- after looking at Quinn's excellent Troubleshooting -34018 Keychain Errors post -- after dumping out the entitlements plist, I see the main app A and my new demo app B both have different ApplicationIdentifierPrefix'es compared to the team identifier. ApplicationIdentifierPrefix and TeamIdentifierPrefix are supposed be the same thing. I believe (from this ancient StackOverflow answer) it might be due to the fact I'm using my developer certificate (the one associated with my current team) along with Xcode's automatically managed signing may still be accidentally generating random application identifiers. Is it possible to do keychain item sharing with apps that were built/installed with developer provisioning profiles?

Developing a ios app in Unreal Engine 5. Everything was alright. Until it wasn’t. Build to iOS device. Click. Cooking. Building… “ERROR: CodeSign Failed” D4mn it! hahaha Here’s the log: UATHelper: Packaging (IOS): Command CodeSign failed with a nonzero exit code UATHelper: Packaging (IOS): ** BUILD FAILED ** UATHelper: Packaging (IOS): The following build commands failed: UATHelper: Packaging (IOS): CodeSign /Users/jordansktorres/My\ Drive/PROJECTS/CRUZEIRO-DO-SUL/ValenteGO/ValenteGO_V1/Binaries/IOS/Payload/ValenteGO_V1.app (in target ‘ValenteGO_V1’ from project ‘ValenteGO_V1’) UATHelper: Packaging (IOS): (1 failure) UATHelper: Packaging (IOS): Took 12,659139s to run env, ExitCode=65 UATHelper: Packaging (IOS): ERROR: CodeSign Failed UATHelper: Packaging (IOS): (see /Users/jordansktorres/Library/Logs/Unreal Engine/LocalBuildLogs/Log.txt for full exception trace) UATHelper: Packaging (IOS): AutomationTool executed for 0h 1m 51s UATHelper: Packaging (IOS): AutomationTool exiting with ExitCode=32 (Error_FailedToCodeSign) UATHelper: Packaging (IOS): RunUAT ERROR: AutomationTool was unable to run successfully. Exited with code: 32 PackagingResults: Error: Failed to Code Sign I have deleted the binaries, build, intermediate, and saved folders. I have generated and created new certificates. I have deleted UE5 and re-install it again. I have thrown the project into the garbage can and created a whole new project file with the same content folder. It all led to the same result. “ERROR: CodeSign Failed” Please, someone, anyone, give me a light here. hahaha

Hi there, I could use some help with notarizing. I'm developing a Python module in the Rust programming language. The extension of the resulting library file is .so, which is necessary for Python to see it, instead of the regular .dylib. I compile this library for both apple silicon and intel. When a user first imports the library which in turn imports the library, and the user is confronted with Gatekeeper. So I guess I need to notarize the module file. And that's where I'm stuck. I created an Apple developer account, created a "Developer ID Application" certificate and used codesign to sign the .so file with it. That worked. I then used ditto to create a zip file with just the .so file: "ditto -c -k --keepParent my_module.so my_module.zip" The 600 kb file quickly uploads to Apple and I get an ID for checking the logs later on. Then I wait for the progress........ And nothing happens for hours on end. When I check the logs for the provided ID I get this message: "Submission log is not yet available or submissionId does not exist" I also checked if perhaps the notarization did work regardless of the above, with "spctl -a -t exec -vvv ./my_module.so". Says it's rejected, source=Unnotarized Developer ID. There is not much that I can work with, because I don't get an error message. Any ideas? Have fun, Wybren

My team has a Mac desktop we use as a build server to do tests, packaging, codesigning, and notarization. The service was kicked off inside a cron job, but we started encountering issues with codesigning (codesign errSecInternalComponent). Eventually we tried turning the service into a LaunchAgent and codesigning now works, presumably because it now has access to the user's keychains. However, this means the service doesn't start until someone logs the user into the console, which is pretty inconvenient at times. We are also finding that the machine is now inaccessible remotely, over SSH and VNC, until there's a console login at the physical host. Our institutional security policies require the use of FileVault and disallow auto-login, and our IT folks haven't suggested any workarounds. What is the recommended way to configure a Mac desktop as a headless server that can reboot without user interaction? We don't, and can't, use XCode. We develop a multi-platform application written in Java.

Xcode 15 introduces a feature where you can see if an XCFramework is signed - (see here) What is the behaviour when the identity expires? For example, do the app developers who have integrated the XCFramework require a brand new XCFramework which is signed with a new, valid identity? Or is there a way to address the expiration without any action from the app developers at all?

I'm developing a sandboxed application with Xcode which allows the user to open and work with Audio Unit plugins. Working with a beta-tester having a lot of AUs on its laptop running on macOS 12.5.1, we encountered some weird crashes while opening some plugins (Krotos, Flux Audio, Sound Toys, etc.). The message we got was in French, I try to translate it but the original English version could be a little bit different: Impossible to open “NSCreateObjectFileImageFromMemory-p47UEwps” because the developper can not be verified. After this first warning, a Fatal Error 100001 message opens and the plugin seems crashed (but not the host). I easily found some music application users encountering similar issues on the web. From what I read, this error is related to new security rules introduced in macOS 12. And, effectively, some of these plugins tested on an older system work normally. I also read that some (insecure) entitlements of the Hardened Runtime should be able to fix this issue, especially Allow Unsigned Executable Memory Entitlement, whose the doc says: In rare cases, an app might need to override or patch C code, use the long-deprecated NSCreateObjectFileImageFromMemory (which is fundamentally insecure), or use the DVDPlayback framework. Add the Allow Unsigned Executable Memory Entitlement to enable these use cases. Otherwise, the app might crash or behave in unexpected ways. Unfortunately, checking this option didn't fix the issue. So, what I tried next was to add Disable Executable Memory Protection (no more success), and finally Allow DYLD Environment Variables and Allow Execution of JIT-compiled Code: none of them solved my problem. I really don't see what else to do, while I'm sure that a solution exists because the same plugins work perfectly on other application (Logic, Live Ableton). Any help would be greatly appreciated. Thanks !

<Security`Security::CodeSigning::Requirement::Interpreter::eval(int)> sysextd: (Security) [com.apple.securityd:SecError] Error checking with notarization daemon: 3 sysextd: bundle code signature is not valid - does not satisfy requirement: -67050 Hello, when our customer is trying to install our product on his computer with bigsur 11.6 build 20G165, system denies our system extension with the errors mentioned above. Extension verification then ends with error 8 (signature invalid). This extension however installs without any issues on other machines, and it is correctly signed and notarized. Could you please provide some info about these errors? specifically [com.apple.securityd:SecError] Error checking with notarization daemon: 3 and error NSOSStatusErrorDomain Code=-67050 Thank you, Jakub

Hello @eskimo (or whoever can help): our company builds a product which is delivered outside the app store as pkg. It contains a launch daemon which is a .NET build on an external build server and signed. Then the whole pkg is notarized. The build server is macOS 10.15.7 (Catalina) On macOS 13.x I can launch the daemon in Terminal without problem, but on Sonoma public beta I get "killed by Signal:9" and in Console I get: "standard 07:44:53.694349-0700 kernel ASP: Security policy would not allow process: 1377, /Library/PrivilegedHelperTools/com.ThinPrint.TPACCloud/TPACCloud.Service" This happens on both Intel and Apple CPU VMs. Besides, when I disable SIP the error does not show up anymore and the binary runs like a charm. What has changed between macOS 13 and macOS 14 ? The binary entitlements: com.apple.security.cs.allow-jit com.apple.security.cs.allow-unsigned-executable-memory com.apple.security.cs.disable-executable-page-protection com.apple.security.cs.allow-dyld-environment-variables com.apple.security.cs.disable-library-validation The command to code sign: /usr/bin/codesign --force --options=runtime --timestamp --entitlements "#{absolutePathToEntitlement}" --sign "#{applicationCertname}" "#{tPACCLOUD_ARTEFACTS_X64}/#{item}" where #{item} are the binaries and .dylibs