Is it allowed for binaries to be signed with custom entitlements (e.g. com.flagers.xyz) for the purposes of determining the authenticity of an application using IOServiceOpen.
I suppose that the App Group entitlements would work fine, and also would ensure authenticity.
Is it allowed for binaries to be signed with custom entitlements
Realistically, no. On the Mac an entitlement is either restricted or unrestricted:
If it’s restricted, any claim must be authorised by a provisioning profile. There’s no way for you to set that up.
If it’s unrestricted, there’s no way for you to limit who can claim it.
For more background on this, see What exactly is a provisioning profile?.
I suppose that the App Group entitlements would work fine
No. App Groups worked differently on the macOS and iOS. On macOS the app groups entitlement is unrestricted, meaning it does not have to be authorised by a profile.
What are you trying to do here? If you’re trying to restrict access to a known set of clients, standard practice is to use a code signing requirement. You can find a bunch of discussion about this on this thread and the threads that it links to.
Unfortunately I don’t think that I/O Kit has support for this, so you’d have to do the work in user space.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
