Xcode error when trying to sign DriverKit extension

I am trying to sign a DriverKit extension for distribution using a Developer ID provisioning profile, but when I try to import the profile to sign the dext I get the error "Platform: MacOS doesn't match platform DriverKit".

We requested the entitlement from Apple a few months ago and according to Apple Support it was approved (though we did not get any email directly from the DriverKit approval process). The App ID we are using appears to have the DriverKit capabilities that we need under "Additional Capabillities".

Our process right now is this:

  1. Go to Certificates, Identifiers, and Profiles
  2. Create a new Provisioning Profile and select Developer ID Distribution
  3. Select the correct App ID
  4. After creating and downloading the profile, import it into Xcode
  5. Receive the error "Platform: MacOS does not match DriverKit"

According to https://developer.apple.com/documentation/driverkit/requesting_entitlements_for_driverkit_development#3557213, there should perhaps be a prompt adding DriverKit to the provisioning profile and not just the identifier, but we do not see this.

Has anybody else run into a similar issue and resolved it? I see a similar thread at https://developer.apple.com/forums/thread/710713, but that one is eight months old and doesn't appear to have a solution.

Post not yet marked as solved Up vote post of BulwarkID Down vote post of BulwarkID
797 views
Posted by
BulwarkID
Reply
Add a Comment

Replies

I have just run into this issue while trying to switch our build infrastructure from Xcode 13 to 14. So that's one workaround for the minute: perform the build with Xcode 13. This is only officially supported on macOS 12 Monterey, though Xcode 13.4.1's command-line xcodebuild seems to run fine on macOS 13 Ventura as well.

Another workaround I still need to try is whether it works to perform release builds without code signing in Xcode/xcodebuild, and then implement the codesigning myself using codesign. We're already having to implement custom scripts for notarisation and installer packaging anyway, so it's only a small step to bring the signing stage out of Xcode and into our own scripts.

Posted by
pmdj
Up vote reply of pmdj Down vote reply of pmdj

  • It's definitely possible to work around this issue by selecting development signing in the dext target, and then in the app target, add a run script build phase which signs the embedded dext with Developer ID. Note you need to strip the signature off the dext's binary, and copy the developer ID provisioning profile as the embedded.provisionprofile before invoking the codesign command on the .dext bundle with the developer ID signing identity and entitlements file.

    pmdj

  • Xcode 15 doesn't fix the problem, but the workaround still works. It does some extra checking that the app and dext are signed using the same identity, so you have to make sure to do things in the order it wants. (A run script phase after the embed system extension phase in the app target still works for this purpose if the app itself is set to developer id signing.)

    pmdj
Add a Comment