load driver error:OSSystemExtensionErrorDomain error 9.

Code Signing Entitlements
emerys OP
Created Sep ’23
Replies 5
Boosts 0
Views 1.7k
Participants 2

I created a driver using DriverKit on Intel macOS 12.6.1 and Xcode 13.3. I enabled auto-manage signing, and set the signing certificate to 'Sign to Run Locally'. Then, I created a provision profile for the driver and selected my M1 test device. After installing the profile, I ran the app on the M1 device and successfully activated the driver.

However, when I tried to compile the project on M1 macOS 13.3 with Xcode 14.3.1, I encountered an error. It appears that DriverKit does not support the 'Sign to Run Locally' option on M1 devices. To resolve this issue, I switched to using the 'Apple Development' signing certificate. Unfortunately, even after making this change, I still received an error message regarding 'Sign to Run Locally' from the Xcode console.

Both devices are logged in with the same developer account. Could you please advise me on how to resolve this problem?

iig:

#include <Availability.h>
#include <DriverKit/IOService.iig>
#include <DriverKit/IOUserClient.iig>

//class OSAction;
class epusbfilter: public IOService
{
public:
    virtual bool init() override;
    virtual kern_return_t Start(IOService * provider) override;
    virtual kern_return_t Stop(IOService * provider) override;
    virtual void free() override;
    
    virtual kern_return_t GetRegistryEntryID(uint64_t * registryEntryID) override;
    
};

cpp:

#include <os/log.h>
#include <DriverKit/IOUserServer.h>
#include <DriverKit/IOLib.h>
#include <USBDriverKit/IOUSBHostInterface.h>
#include <USBDriverKit/IOUSBHostPipe.h>
#include "epusbfilter.h"



#define Log(fmt, ...) os_log(OS_LOG_DEFAULT, "epusbfilter - no super," fmt "\n", ##__VA_ARGS__)

struct epusbfilter_IVars
{
    IOUSBHostInterface       *interface;
    IOUSBHostPipe            *inPipe;
    OSAction                 *ioCompleteCallback;
    IOBufferMemoryDescriptor *inData;
    uint16_t                  maxPacketSize;
};



bool epusbfilter::init() {
    bool result = false;
    
    Log("init");
    
    result = super::init();
    return result;
}

void epusbfilter::free() {
    super::free();
    Log("free");
}

kern_return_t
IMPL(epusbfilter, Start)
{
    kern_return_t                    ret;
    Log("Start");

    ret = Start(provider, SUPERDISPATCH);
    return ret;
}


kern_return_t
IMPL(epusbfilter, Stop)
{
    kern_return_t ret = kIOReturnSuccess;
    Log("Stop");
    ret = Stop(provider, SUPERDISPATCH);
    
    return ret;
}

kern_return_t
IMPL(epusbfilter, GetRegistryEntryID) {
    Log("GetRegistryEntryID");
    return GetRegistryEntryID(registryEntryID, SUPERDISPATCH);
}

info.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>IOKitPersonalities</key>
	<dict>
		<key>epusbfilter</key>
		<dict>
			<key>CFBundleIdentifier</key>
			<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
			
            <key>CFBundleIdentifierKernel</key>
            <string>com.apple.kpi.iokit</string>
            
			<key>IOProviderClass</key>
			<string>IOUSBHostInterface</string>
			
            <key>IOClass</key>
            <string>IOUserUserClient</string>
			
<!--            <key>IOResourceMatch</key>-->
<!--			<string>IOKit</string>-->
			
            <key>IOUserClass</key>
			<string>epusbfilter</string>
			
            <key>IOUserServerName</key>
			<string>com.injection.epusbfilter.dext</string>
			
<key>bConfigurationValue</key>
<integer>1</integer>-->
			
        <key>bInterfaceNumber</key>
 <integer>0</integer>
 
            <key>idVendor</key>
            <string>*</string>
            <key>idProduct</key>
            <string>*</string>
            
            
            <key>UserClientProperties</key>
            <dict>
                <key>IOClass</key>
                <string>IOUserUserClient</string>
                <key>IOUserClass</key>
                <string>epusbfilter</string>
            </dict>
            
		</dict>
	</dict>
</dict>
</plist>

entitlemens:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	
    <key>com.apple.developer.driverkit</key>
	<true/>
	
    <key>com.apple.developer.driverkit.transport.usb</key>
	<array>
        <dict>
        <key>idVendor</key>
        <string>*</string>
        <key>idProduct</key>
        <string>*</string>
        </dict>
    </array>
    
    
</dict>
</plist>
Replies  5
Boosts  0
Views  1.7k
Participants  2
DTS Engineer OP
Apple
Sep ’23

Error 9 is OSSystemExtensionErrorValidationFailed.

It appears that DriverKit does not support the 'Sign to Run Locally' option on M1 devices.

Sign to Run Locally has its uses [1] but for day-to-day development I encourage you to use an Apple Development signing identity. This has a couple of key benefits:

  • It’s stable, so the system can know that build N+1 of your product is the ‘same’ as build N.

  • It can be associated with a provisioning profile.

Note If you’re curious how this works, TN3125 Inside Code Signing: Provisioning Profiles explains how profiles are associated with code and TN3127 Inside Code Signing: Requirements discusses how macOS uses code signing requirements to track code identity.

To resolve this issue, I switched to using the 'Apple Development' signing certificate.

Good.

Unfortunately, even after making this change, I still received an error message regarding 'Sign to Run Locally' from the Xcode console.

What does the message say exactly?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] For example, it’s very important to folks like Homebrew.

0
emerys OP
Sep ’23

@eskimo "Unfortunately, even after making this change, I still received an error message regarding 'Sign to Run Locally' from the Xcode console." that means I adjusted the project signing settings by enabling automatic management of code signing and setting the signing certificate to 'Apple Development.' Despite these adjustments, I still encountered the error message The operation couldn't be completed. (OSSystemExtensionErrorDomain error 9.)

Do I still need to request DriverKit entitlements from the developer website? However, when I visit https://developer.apple.com/system-extensions/, I don't see a 'request an entitlement' button. Additionally, when I access https://developer.apple.com/contact/request/system-extension/, it says 'Sorry, you cannot view this page'.

0
DTS Engineer OP
Apple
Sep ’23

Do I still need to request DriverKit entitlements from the developer website?

The situation with DriverKit entitlements is a complex. However, most of them are available for development-signed code without needing to request anything from Apple. For example, the Capabilities tab in the App ID editor lists “DriverKit (development)” with Platform Support as iOS and macOS and Distribution Support as Development.

For an explanation of how to view this stuff, see Finding a Capability’s Distribution Restrictions.

it says 'Sorry, you cannot view this page'.

Hmmm. IIRC that form is restricted to Individual and Organization teams. Are you a member of such a team?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
emerys OP
Sep ’23

@eskimo

IIRC that form is restricted to Individual and Organization teams. Are you a member of such a team?

On the account page, it shows that my role is admin. However, I am wondering if only the Account Holder has the ability to request entitlements for DriverKit.

Program Apple Developer Program

Enrolled as Organization

Your role Admin

For example, the Capabilities tab in the App ID editor lists “DriverKit (development)” with Platform Support as iOS and macOS and Distribution Support as Development.

I have accessed the App ID Editor page and enabled "DriverKit (development)" and "DriverKit USB Transport (development)" under the Capabilities tab. I have also enabled "DriverKit" and "DriverKit USB Transport - VendorID" under the Additional Capabilities tab. However, when I run the app to activate my DEXT, I receive an error message stating "The operation couldn't be completed. (OSSystemExtensionErrorDomain error 9.)"

0
DTS Engineer OP
Apple
Sep ’23

However, I am wondering if only the Account Holder has the ability to request entitlements for DriverKit.

Good question. I’m not able to fully test this but I suspect it might be the case. Probably the easiest way to check is to ask the Account Holder to give it a try.

However, when I run the app to activate my DEXT, I receive an error message stating The operation couldn't be completed. (OSSystemExtensionErrorDomain error 9.)

OSSystemExtensionErrorValidationFailed is very generic. My experience is that the sites that throw this error log more specific info to the system log. What do you see there?

Another way to slice this is to check the provisioning profile on your app and sysex to ensure that it authorises any restricted entitlements they claim. See Check for Unauthorised Entitlements in Resolving Code Signing Crashes on Launch.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
load driver error:OSSystemExtensionErrorDomain error 9.
First post date Last post date
 
 
Q