DriverKit code signing/driver loading issues.

I assume these need to be different with their own entitlements. Is that correct?

Yes.

this is my current Entitlement layout; App has SystemExtension. Driver has DriverKit, DriverKit HID Transport, and DriverKit HID Event Service Family. Is this correct for this layout?

On the app side, yes. On the driver side, I’m less qualified to answer, but it looks reasonable enough.

Does the Code Signing Identity/Profile in the Apple Developer section need to match exactly, or can that have more than what is requested?

I don’t understand this question.

I have requested and have been approved to have the "Additional Capabilities" versions of the DriverKit entitlements in Identities. Do i need both checked? can I only have the distribution one?

I’ll tackle this below as part of my answer to question 6.

I have SIP disabled on my machine (csrutil status shows disabled). I thought this was supposed to bypass the code signing checks?

No. SIP disables specific code signing checks but certainly not all of them.

Does the "Additional Capabilities" version of the DriverKit entitlements that I needed get get approval for bypass the need to disable SIP, or will i need to keep it off for the entirety of development?

You do not need to develop with SIP disabled.

My recommended approach is:

• Using an Apple Development signing identity for day-to-day development.

• In most cases Xcode’s automatic code signing takes care of this for you.

• Only use distribution signing identities — Apple Distribution for the Mac App Store or Developer ID Application for independent distribution — when you go to distribute your product.

• To test your Mac App Store distribution, use TestFlight. You won’t be able to run code signed for Mac App Store distribution directly. See Don’t Run App Store Distribution-Signed Code.

• To test your independent distribution, you must notarise beforehand.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

To the question you didn't understand, i'll try to explain a bit better. The entitlements in the app request a certain set. In order for the app/driver to run, the identity/profile retrieved from Apple needs to have the same set to grant. can the apple side have MORE than requested and have everything still work fine, or do both sides need to match exactly?

example.

App.entitlements requests a, b, and c. Identity with Profile from Apple Developer page grants a, b, c, d, and e.

Will it all still run OK, or does the Identity need to disable the d and e grants?

I also spent weeks battling signing issues. If you're using Xcode 14, you can simply select "Automatic" in the Signing and Capabilities tab. As it says in that tab, "Xcode will create and update profiles, app IDs and certificates". Choose "Development" for the signing certificate. Delete any app IDs or profiles you may have made manually on the developer portal for your app or its extension, and let Xcode do all the work for you. If you don't, Xcode will try to use the manually generated profiles and you'll get a message like "Xcode 14 and later requires a DriverKit development profile enabled for IOS and macOS. Visit the developer website to create or download a DriverKit profile".

Automatic signing will let you develop and test on your own machine, or any other test machine entered on the portal under Devices.

You asked "Does the Code Signing Identity/Profile in the Apple Developer section need to match exactly, or can that have more than what is requested? " If you look at the embedded profile that Xcode puts in your app, you'll see what it creates (for development). It looks at the entitlements you request, and puts those same entitlements in the profile. In my case I have a com.apple.developer.driverkit.transport.usb entitlement which specifies my company's USB vendor ID. The development embedded profile specifies "*" as the vendor ID, the distribution profile specifies my company's VID.

When you come to distribute your app, Xcode can't create everything for you. The Account Owner has to go into the portal and create profiles for any extensions which require managed capabilities (entitlements which are only provided in response to a specific request to Apple). An Admin can create other types of profiles. If you are not the Account Owner the Generate button will fail to generate a profile, but it won't tell you why.

In the distribution workflow, you choose the manually-generated profiles when you come to upload your product for notarization (not at build time). So you can keep the "Signing and Capabilities" setting in Xcode at Automatic.

I went back and put everything back to Xcode managed for provisioning profile, made sure everything matched, and still getting errors when trying to load the driver. The app itself loads fine and it installs the driver without issue.

Again, any help would be appreciated.

Here is one such collection of errors from the system log as an example (with edits changing bundleId and paths, as well as removing stuff so it would allow me to post this):

ReportCrash:

...(Code Signature Invalid)","incidentID":"someUUID","logwritten":0,"process":"com.me.App.Driver","terminationReasonExceptionCode":"0x1","terminationReasonNamespace":"CODESIGNING"...

taskgated-helper

Disallowing com.me.App.Driver because no eligible provisioning profiles found

amfid

/path/to/com.me.App.Driver.dext/com.me.App.Driver signature not valid: -67671

kernel

mac_vnode_check_signature: /path/to/com.me.App.Driver.dext/com.me.App.Driver: code signature validation failed fatally: When validating  /path/to/com.me.App.Driver.dext/com.me.App.Driver:

  Code has restricted entitlements, but the validation of its code signature failed.

Unsatisfied Entitlements:

(nothing in the list of unsatisfied Entitlements)

also kernel:

proc 48767: load code signature error 4 for file "com.me.App.Driver"

In Xcode, select the dext target, then under Signing, you should see a section labelled "DriverKit", with a Provisioning Profile: which you cannot modify, called "Xcode Managed Profile". If you click on the (i) here, does everything seem as you expect? You should see some capabilities, and some entitlements. Do they all have tick marks?

Find your app in the Derived Data folder, and drill down to the dext, and look at its .embeddedprofile (QuickLook should open it for you, just use the space bar). Does it look correct?

Follow the advice from Quinn here https://developer.apple.com/forums/thread/656490

For the provisioning profile, the capabilities include the 3 DriverKit entitlements I request as well two others that i dont request (In-App Purchase and Keychain Sharing). Entitlements for the profile also include the three i requested and a handful of others that i haven't but look 'standard' (i.e. get-task-allow, application-identifier, and other more generic sounding ones).

The embedded profile (for me it shows up as embedded.mobileprovision could this be the issue? This is how Xcode 14 set this up for me...) it shows the entitlements as I expect.

As for the other thread, capabilities match as expected. I even verified that the certificate signatures matched as per one of eskimo's other posts about troubleshooting code signing.

The more i'm thinking about it, I'm wondering if the DriverKit template is just naming the provisioning profile as it expects for iOS, instead of MacOS (as mine is named embedded.mobileprovision). People are saying the file should have an .embededprofile extension; what should the filename be?

I have not looked at the the DriverKit side of this but the standard macOS and iOS names are documented in Placing Content in a Bundle.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

In my development version, the delivery app has embedded.provisionprofile. The dext contains embedded.mobileprovision.

In my release version, the delivery app has embedded.provisionprofile. The dext has both embedded.mobileprovision and embedded.provisionprofile.

OK, then I'm Still at a loss.

I just created a brand new project, just in case something is wonky with the other one. Leaving everything XCode managed, this time on my M1 mini instead of my Intel MacBook Pro. SwiftUI app instead of XIB, once again with an activate button and deactivate that make the appropriate OSSystemExtensionRequests. The Second target added via File->New->Target is the DriverKit group's Driver project template. Gave everything the same entitlements as above (though i probably dont need the HID ones, as i'm not even changing the default IOService type or any code in the driver other than adding an entitlements file and setting that file as Code Signing Entitlements under Build Settings->Signing->Code Signing Entitlements.

From everything You have been telling me, that should work, unless i'm just missing something in my frustration.

App runs fine, activating the extension via the app runs fine, but still errors actually running the extension.

systemextensionctl list shows it should be loading:

*	*	NMX3RG6P6L	com.eklynx.TestHidService.TestService (1.0/1)	com.eklynx.TestHidService.TestService	[activated enabled]

But once again, logging still shows the app is being killed due to code signing.

/Library/SystemExtensions/AC89C292-DA43-407D-9BDF-B832D5BC16F6/com.eklynx.TestHidService.TestService.dext/com.eklynx.TestHidService.TestService not valid: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found"...

mac_vnode_check_signature: /path/to/com.eklynx.TestHidService.TestService.dext/com.eklynx.TestHidService.TestService: code signature validation failed fatally: When validating /path/to/com.eklynx.TestHidService.TestService.dext/com.eklynx.TestHidService.TestService:

  Code has restricted entitlements, but the validation of its code signature failed.

Unsatisfied Entitlements:

proc 15887: load code signature error 4 for file "com.eklynx.TestHidService.TestService"

Error occurred while handling request "DextLaunch(arguments: Optional(["Check In Token": 483, "CFBundleIdentifier": com.eklynx.TestHidService.TestService, "kOSBundleDextUniqueIdentifier": <removed>, "DriverKit Reslide Shared Cache": 0, "Driver Extension Server Name": com.eklynx.TestHidService.TestService, "Driver Extension Server Tag": removed]))": Error Domain=NSPOSIXErrorDomain Code=8 "Exec format error"

Started from scratch one more time noting every small detail. Initially after adding the driverkit target, the signing profile was not set; building gave the error

error: Embedded binary is not signed with the same certificate as the parent app. Verify the embedded binary target's code sign settings match the parent app's.

Looking at the settings, the Provisioning profile is set to Xcode Managed Profile with Signing Certificate set to None. I unchecked and re-checked the 'Automatically manage signing` and set my developer profile to fix this. Was this the correct way to proceed?

@sscmith_c: Since you have a working setup do you mind telling what are your signing settings are set to for the DriverKit extension?

Wow, that was it. Downloaded the new RC1, and my test project shows as running when queried with ps. Thank you!