Capability for Provisioning Profile to enable MIE

Question

Created 3w

Replies 2

Boosts 1

Participants 3

My app uses a Provisioning Profile (as it bundles up a Network System Extension). I do not use "Automatically manage signing" as its causes code signing/deployment issues 🤷‍♂️

In Xcode (version 26), if I enable " Enhanced Security" and check "Enable Hardware Memory Tagging", Xcode states:

Provisioning profile "<>" doesn't include the com.apple.security.hardened-process.checked-allocations and com.apple.security.hardened-process.checked-allocations.soft-mode entitlements.

Normally to resolve such errors one simply adds the Capability in "Edit your App ID Configuration" and then regenerates the Provisioning Profile.

However, I don't see any such capability to would add these entitlements? (I thought "Hardened Process" would be the one - but alas, no).

Clicking the "for more information" link in Xcode to view the relevant(?) "Apple Developer Documentation" generates another error 😵‍💫

Didn't see anything in: https://developer.apple.com/documentation/xcode/enabling-enhanced-security-for-your-app

Answered by Developer Program Support in 860791022

@asfdadsfasdfasdfsasdafads This should now be fixed, but it requires creating a new provisioning profile to get the fix.

Can you try recreating the provisioning profile and see if that fixes the problem for you?

Boost

Answer 1

DTS Engineer OP

Apple

3w

I believe this is a bug in Xcode. Entitlements in the com.apple.security. namespace are unrestricted on the Mac [1], that is, they don’t need to be authorised by a profile. If you leave off the Network Extension capability, the app will launch even though it claims these entitlements and has no profile. However, when you add a capability, like Network Extension, that has to be authorised by a profile, Xcode gets confused and tries to authorise these entitlements with that profile, which isn’t necessary or possible.

I suspect we already have a bug on file about this, but I encourage you to file your own bug about it. Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] For more about these concepts, see TN3125 Inside Code Signing: Provisioning Profiles.

0

Answer 2

Developer Program Support OP

Apple

1w

Recommended

@asfdadsfasdfasdfsasdafads This should now be fixed, but it requires creating a new provisioning profile to get the fix.

Can you try recreating the provisioning profile and see if that fixes the problem for you?

0