Hi all,
We're trying to package a new version of Multipass, a small cross-platform Linux VM manager. It's been working fine until recently, when the notarization service started erroring out on binaries unsigned, or those that don't have the hardened runtime enabled.
We're using CPack to create a custom installer, so we have to do all the signing and notarization manually.
Unfortunately the hypervisor we use (hyperkit) fails when ran with hardening:
CODE SIGNING: 31277[hyperkit] vm_map_protect can't have both write and exec at the same timeWhile we investigate that problem, we wanted to add the appropriate entitlements to the signature, please tell me if there's something wrong with this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>com.canonical.multipass.hyperkit</string>
    <key>com.apple.security.cs.disable-executable-page-protection</key>
    <true/>
</dict>
</plist>Unfortunately even though notarization completes on the package, the binary fails with:
mac_vnode_check_signature: /Library/Application Support/com.canonical.multipass/bin/hyperkit: code signature validation failed fatally: When validating /Library/Application Support/com.canonical.multipass/bin/hyperkit:
  Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements: proc 35751: load code signature error 4 for file "hyperkit"Following TN2318 I can see that the signature verification fails if I use the "Developer ID" identity, which notarization seems to require (?):
$ codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' "/Library/Application Support/com.canonical.multipass/bin/hyperkit"
/Library/Application Support/com.canonical.multipass/bin/hyperkit: valid on disk
/Library/Application Support/com.canonical.multipass/bin/hyperkit: satisfies its Designated Requirement
test-requirement: code failed to satisfy specified code requirement(s)If I use an "Apple Development" identity, the check completes:
$ codesign --verify -vvvv -R='anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)' "/Library/Application Support/com.canonical.multipass/bin/hyperkit"
/Library/Application Support/com.canonical.multipass/bin/hyperkit: valid on disk
/Library/Application Support/com.canonical.multipass/bin/hyperkit: satisfies its Designated Requirement
/Library/Application Support/com.canonical.multipass/bin/hyperkit: explicit requirement satisfiedBut even then, the above "signature failed" failure occurs. Not to mention that files signed with that identity get rejected during notarization…
Any pointers on what are we doing wrong?
Thanks a bunch!
Notarisation requires the hardened runtime. The hardened runtime enables all sorts of extra security checks by default. However, most (maybe even all?) of those can be disabled with hardened runtime exception entitlements. These are not special entitlements (that is, entitlements that must be granted by Apple), nor are they restricted entitlements (that is, entitlements that must be whitelisted by a provisioning profile), but are completely open. Any Developer ID code can use these entitlements without restrictions.
The problem with your original attempt is that you’re using a restricted entitlement (
application-identifiercom.apple.security.cs.disable-executable-page-protectionAs to whether that’ll fix your actual problem, it’s hard to say without knowing more about how your code is using
vm_map_protectShare and Enjoy 
— 
Quinn “The Eskimo!” 
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 
let myEmail = "eskimo" + "1" + "@apple.com"