Unsatisfied Entitlements

Hi, im building a Content Filter app and today while checking the logs in the console app i saw this one.
Code Block
com.company.myapp.extension: Unsatisfied entitlements: com.apple.security.application-groups

Its weird because the extension loads fine and the content filter works. I have checked and the app group seems to be correctly set on both entitlement files (app and extension).
I would really appreciate the help. Thanks in advance.
The mentioned error dissapears when adding this to the NE entitlements
Code Block
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<array>
        <string>/private/var/db/mds/</string>
        <string>/usr/libexec/</string>
</array>

Its weird because the extension loads fine and the content filter works. I have checked and the app group seems to be correctly set on both entitlement files (app and extension).

Right, what is happening here is that you are running into a conflict between the entitlements defined in the provisioning profile used for you Content Filter and the ones that are defined in your entitlements file. Also, your profile in some cases can be based off of the entitlements file created when your app is created and built for the first time. Possibly you added, changed, removed the application groups during development and this got out of sync with the profile maintained by Xcode. This issue for application groups will not cause a code signing crash or failure, but will render application group unusable from either the app or extension standpoint. I would always recommend resolving this before you sign, Notarize, and distribute your app. That way if you run into an issue down the road you know this is not the root cause of it. Also, this will make sure your app-groups continue to work properly.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Thanks for your reply matt. Just to clarify some things the app and the network extension both use different provisioning profiles correct? I tried re-downloading the profiles but the problem persists. I've also checked and as far as i know i dont need to specify the app group when im creating the profile because thats only for non-macos devices. Right?. I forgot to mention my app runs on macos.
I read on another thread that the extension needs to have the app sandbox enabled for this error to dissapear. My extension has it enabled but not the app. So my question is does the extension AND the app need to be in a sandbox or only the extension.

Just to clarify some things the app and the network extension both use different provisioning profiles correct?

Yes.

I've also checked and as far as i know i dont need to specify the app group when im creating the profile because thats only for non-macos devices. Right?

App Groups run on iOS and macOS. If you are not using App Groups, try deleting them entirely.

So my question is does the extension AND the app need to be in a sandbox

Absolutely. This is a requirement no matter where you are distributing, whether via Developer ID or the Mac App Store.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

App Groups run on iOS and macOS. If you are not using App Groups, try deleting them entirely.

I thought it was required to have an app group for using system extensions.


Absolutely. This is a requirement no matter where you are distributing, whether via Developer ID or the Mac App Store.

I've tried adding an app sandbox to the app but the error still persists.

I read this post by quinn and he says

It’s absolutely correct here — the entitlement you’re trying to use, namely the App Groups entitlement, really isn’t whitelisted by your profile — but that’s absolutely normal.

Is he saying that the error message im seeing is normal? Considering my app runs on macos








I've tried adding an app sandbox to the app but the error still persists.

Excellent. No matter if you error is there or not, you need a Sandbox, so that is good.

Is he saying that the error message im seeing is normal? Considering my app runs on macos

Right, so what Quinn is pointing out here is along the lines with what I had mentioned, but in just greater detail: "This issue for application groups will not cause a code signing crash or failure." Which aligns with what you mentioned, "Its weird because the extension loads fine and the content filter works." Now, you may not be able to use your app groups in macOS if your groups are defined incorrectly or are not configured like the example Quinn has. That is why I mentioned you should resolve this, "before you sign, Notarize, and distribute your app."


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Thanks again for your reply. Is there any logs that i can provide for you guys to help me get rid of this error? I already tried tweaking the profile a bunch of times but nothing seems to help.

Edit:
I found that "amfid" is also throwing this log that i think is related to the other one
Code Block
CPValidateProvisioningDictionariesExtViaBridge returned invalid result: {
  success = 0;
}


Accepted Answer
The mentioned error dissapears when adding this to the NE entitlements
Code Block
<key>com.apple.security.temporary-exception.files.absolute-path.read-write</key>
<array>
        <string>/private/var/db/mds/</string>
        <string>/usr/libexec/</string>
</array>

Unsatisfied Entitlements
 
 
Q