Proper way to notarize app with endpoint security entitlement for SIP enabled environment

Hello,

We finally got our endpoint security client entitlement from Apple so we would like to test the notarization process.
As I understand below are the required steps:

  1. Create provisioning profile for container app with es client entitlement

  2. Use the profile in xcode

  3. build and sign the app with xcode

  4. (here I am not sure) zip the app and run it through xcrun for notarization

  5. staple the app

with the steps above, I enable SIP and try to install the system extension by getting the app in /Applications and double-clicking it.
I get the usual "Extension blocked" message, go to the settings and authorize the app.
I can see that the extension has been activated with "systemextensionsctl list" but get a crash report for the es client with code EXC_CRASH (Code Signature Invalid)
Termination reason: Namespace CODESIGNING, Code 0x1

So I am guessing the signing or notarization process is not right. My es client has a .entitlements file but I am not seeing a embedded entitlement file in the .systemextension bundle.
Should I notarize the es client as well? Or maybe the build process does not link the entitlement for my es client? In my build setting I have the correct path for "Code Signing Entitlements".

Any help would be welcomed! Thank you!

Up vote post of gmorimoto Down vote post of gmorimoto
494 views
Posted by
gmorimoto
Reply
Add a Comment

Accepted Reply

First things first, entitlements:

  • The container app must have the com.apple.developer.system-extension.install entitlement. You can set this using Xcode’s Signing & Capabilities editor and automatic code signing will sort out the profile.

  • You ES sysex must have the com.apple.developer.endpoint-security.client. This requires manual code signing. I don’t have specific instructions for this but the general idea is outlined in the Old Process post on this thread.

As to how you notarise this, if you’re building from Xcode you can notarise from the Xcode Organizer. Whether you should do that depends on your final distribution strategy. If you distribute your app as a simple app in a zip archive, this approach is easiest. If not, it’s probably best to package and notarise your product from the command line. See my Signing a Mac Product For Distribution post for info on that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

First things first, entitlements:

  • The container app must have the com.apple.developer.system-extension.install entitlement. You can set this using Xcode’s Signing & Capabilities editor and automatic code signing will sort out the profile.

  • You ES sysex must have the com.apple.developer.endpoint-security.client. This requires manual code signing. I don’t have specific instructions for this but the general idea is outlined in the Old Process post on this thread.

As to how you notarise this, if you’re building from Xcode you can notarise from the Xcode Organizer. Whether you should do that depends on your final distribution strategy. If you distribute your app as a simple app in a zip archive, this approach is easiest. If not, it’s probably best to package and notarise your product from the command line. See my Signing a Mac Product For Distribution post for info on that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment
Thanks Eskimo

Your answer made me realize the error was on my part. I think I started building my sysex using a driverkit template so I could not add a provisioning profile to the extension. Using the template for a network extension it worked perfectly.

Posted by
gmorimoto
Up vote reply of gmorimoto Down vote reply of gmorimoto
Add a Comment