Endpoint Security signing issues

I'm trying to sign a macOS application which includes a Endpoint Security system extension. The profile for the extension has capability added and the app profile has the System Extension capability added. Both targets also has the correct entitlements, but when validating the app after archiving I get the following error: "Profile doesn't support Endpoint Security." When looking in the logs I can see that Xcode is fetching a provisioning profile for the extension without the needed capability. If downloading the profile from the developer portal the correct capability is present. Could something be "out of sync" regarding what provisioning profiles Xcode fetches vs what I see on the developer portal?

If I try to archive using xcodebuild I get the following: "APP requires a provisioning profile with the System Extension feature." and ""BUNDLE_ID.systemextension" requires a provisioning profile with the Endpoint Security feature."

I have tried with automatic and manual signing but nothing seems to work.

Up vote post of Afogh Down vote post of Afogh
273 views
Posted by
Afogh
Reply
Add a Comment

Replies

The ES entitlement is managed, that is, you must apply for and be granted access to it. In some cases, especially with ES, the folks doing the approval only approve you for development. You have to apply again for distribution.

You can check this on the Developer website. See Finding a Capability’s Distribution Restrictions.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo

  • For the endpoint security it shows nothing about distribution in the popover, but it says "Development Developer ID" in provisioning support. I'm not sure that means if it is development only or also Developer ID distribution?

    Afogh
Add a Comment

For the endpoint security capability it shows as "Development Developer ID" under provisioning support. I don't know if that means it is development only or also Developer ID distribution?

Posted by
Afogh
Up vote reply of Afogh Down vote reply of Afogh
Add a Comment

it shows as "Development Developer ID" under provisioning support.

OK. The Developer ID part of that should cover direct distribution using Developer ID signing.

Try this:

  1. Go to the Certificates, Identifiers, and Profiles section of the Developer web site.

  2. In Identifiers, find your App ID.

  3. Make sure Additional Capabilities > Endpoint Security is checked on that App ID.

  4. In Profiles, create a new profile using that App ID. When asked to choose a profile type, select Distribution > Developer ID.

  5. Download that profile.

  6. Dump its entitlement allowlist. TN3125 Inside Code Signing: Provisioning Profiles explains how to do that.

What do you see?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

The profile says <key>com.apple.developer.endpoint-security.client</key> <true/>, so I guess endpoint security is correctly added to the profile. When trying to archive using xcodebuild we also get this error:

error: exportArchive: There is a problem with the request entity

Error Domain=DeveloperAPIServiceErrorDomain Code=5 "There is a problem with the request entity" UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedRecoverySuggestion=You already have a current Developer ID Application Managed (With Kext) certificate or a pending certificate request., NSLocalizedDescription=There is a problem with the request entity}

I have the Developer ID certificate on my machine, but for same reason we get this error from the Developer API. We have tried on multiple Macs with the same error. We have multiple Developer ID certificates. I have no idea what a pending certificate is or where to see those?

Posted by
Afogh
Up vote reply of Afogh Down vote reply of Afogh
Add a Comment

I’m not sure what’s going here. I don’t see any way to debug this without digging into your developer account setup, and that’s not something we can do here on DevForums. I recommend that you seek formal support via Apple > Developer > Contact Us.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Could you help get my ticket looked into? I have only gotten a generic reply so far. Case number: 102278105696

Posted by
Afogh
Up vote reply of Afogh Down vote reply of Afogh
Add a Comment