Code has restricted entitlements, but the validation of its code signature failed.

I’m developing a DriverKit sample test company’s USB Controller.
My example will appear in the system log: Code has restricted entitlements, but the validation of its code signature failed.
Hello World is not printed.
What happened?
command-line systemextensionsctl list in Terminal,.dext is installed in /Library/SystemExtensions folder.
Up vote post of ETANDT Down vote post of ETANDT
1.9k views
Posted by
ETANDT
Reply

  • What entitlements do you have on your dext? What entitlements are included in the provisioning profile that you are signing it with? Do the two match?

    Drewbadour

  • Please refer to the detailed response.

    ETANDT
Add a Comment

Accepted Reply

You need to match your entitlements to your provisioning profile. First, check the contents of your provisioning profile with something like security cms -D -i my.provisionprofile. That will show you the exact entitlements you have been granted under the Entitlements key. For the entitlements you've listed for your provisioning profile, it will likely look something like this:

<key>Entitlements</key>
<dict>
	<key>com.apple.developer.driverkit</key>
	<true/>
	<key>com.apple.developer.driverkit.transport.usb</key>
	<array>
		<dict>
			<key>idVendor</key>
			<integer>1234</integer>
		</dict>
	</array>
	<true/>
	<!-- More Team/Identifier Keys -->
</dict>

If you also have HID entitlements, you might also need to add those. But you can only use entitlements included in that list in the provisioning profile. Your dext's entitlements must match or be a subset of the entitlements in your provisioning profile. It cannot include any entitlements not in that provisioning profile.

Of the entitlements you've listed in your dext, there are a couple concerns:

  1. com.apple.security.device.usb isn't used for dexts. That will cause your code signing to be rejected.
  2. The way you've assigned your vendor ID is incorrect and needs to be formatted just as it is in your provisioning profile. Refer to the previous code block for an example of the layout.

Note that if you are matching on a HID-based device or interface, you do not need a USB vendor ID entitlement. More detail on matching to USB/HID devices can be found here: https://developer.apple.com/news/?id=zk5xdwbn

You might also find valuable information in this article on DriverKit signing: https://developer.apple.com/news/?id=c63qcok4

Posted by
Drewbadour
Up vote reply of Drewbadour Down vote reply of Drewbadour
Post marked as solved

  • It's also worth noting that vendor IDs are stored in provisioning profiles in base-10 format. Please be sure to account for that when setting up your entitlements. The value you use will also need to be a base-10 representation of the vendor ID.

    Drewbadour
Add a Comment

Replies

system error log:

May 28 21:16:02 xianxianmeishizuode-MacBook-Pro com.apple.xpc.launchd[1] (com.apple.mdworker.shared.0B000000-0700-0000-0000-000000000000[1319]): Service exited due to SIGKILL | sent by mds[91]
May 28 21:16:06 xianxianmeishizuode-MacBook-Pro com.apple.xpc.launchd[1] (com.apple.null.driver-0x100001311[1359]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Library/SystemExtensions/7E4D2C05-E24F-430D-9048-DBFB508BBEE5/com.etandt.dk1.dext/com.etandt.dk1:
	  Code has restricted entitlements, but the validation of its code signature failed.
	Unsatisfied Entitlements: 
May 28 21:16:06 xianxianmeishizuode-MacBook-Pro com.apple.xpc.launchd[1] (com.apple.null.driver-0x100001311[1359]): Binary is improperly signed.

entitlements dext:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.driverkit.transport.usb</key>
	<true/>
	<key>com.apple.security.device.usb</key>
	<true/>
	<key>com.apple.developer.driverkit</key>
	<true/>
	<key>com.apple.developer.driverkit.transport.hid</key>
	<true/>
	<key>com.apple.developer.driverkit.family.hid.device</key>
	<true/>
	<key>com.apple.developer.driverkit.family.hid.eventservice</key>
	<true/>
	<key>idVendor</key>
	<integer>1636</integer>
</dict>
</plist>

Provisioning Profile Enabled Capabilities DriverKit USB Transport - VendorID, In-App Purchase

Posted by
ETANDT
Up vote reply of ETANDT Down vote reply of ETANDT
Add a Comment

You need to match your entitlements to your provisioning profile. First, check the contents of your provisioning profile with something like security cms -D -i my.provisionprofile. That will show you the exact entitlements you have been granted under the Entitlements key. For the entitlements you've listed for your provisioning profile, it will likely look something like this:

<key>Entitlements</key>
<dict>
	<key>com.apple.developer.driverkit</key>
	<true/>
	<key>com.apple.developer.driverkit.transport.usb</key>
	<array>
		<dict>
			<key>idVendor</key>
			<integer>1234</integer>
		</dict>
	</array>
	<true/>
	<!-- More Team/Identifier Keys -->
</dict>

If you also have HID entitlements, you might also need to add those. But you can only use entitlements included in that list in the provisioning profile. Your dext's entitlements must match or be a subset of the entitlements in your provisioning profile. It cannot include any entitlements not in that provisioning profile.

Of the entitlements you've listed in your dext, there are a couple concerns:

  1. com.apple.security.device.usb isn't used for dexts. That will cause your code signing to be rejected.
  2. The way you've assigned your vendor ID is incorrect and needs to be formatted just as it is in your provisioning profile. Refer to the previous code block for an example of the layout.

Note that if you are matching on a HID-based device or interface, you do not need a USB vendor ID entitlement. More detail on matching to USB/HID devices can be found here: https://developer.apple.com/news/?id=zk5xdwbn

You might also find valuable information in this article on DriverKit signing: https://developer.apple.com/news/?id=c63qcok4

Posted by
Drewbadour
Up vote reply of Drewbadour Down vote reply of Drewbadour
Post marked as solved

  • It's also worth noting that vendor IDs are stored in provisioning profiles in base-10 format. Please be sure to account for that when setting up your entitlements. The value you use will also need to be a base-10 representation of the vendor ID.

    Drewbadour
Add a Comment