"SYSTEM EXTENSION" entitlements in framework

Hello everyone! I'm developing framework and app for macOS for PCI devices. For communication with driverkit, I'm verifying by giving userclient access entities of system extension to app. However, the app is just a sample program, and our customer is trying to develop the app using a framework with PCI communication part. Is there a way to build a framework with my company's signature, and to build and execute it without acquiring userclient access elements by any chance by a customer developer? Moreover, userclient access is only available to developers who have subscribed to the Apple Developer Program, so I hope that client/developers do not need to obtain separate entries.

Is there a way to build a framework with my company's signature, and to build and execute it without acquiring userclient access elements by any chance by a customer developer?

No. Entitlements are only effective on a main executable. Assuming that the executable is signed correctly, the process that executes it gains those entitlements. Entitlements applied to a framework are, at best, ineffective [1].

One options here is to ship a daemon that acts as a front end to your hardware. That daemon is signed by you, and thus can have the necessary entitlements to talk to your DriverKit driver. That daemon can then present an interface — using, for example, XPC — that other apps can use to talk to the hardware indirectly.

However, this isn’t trivial to do, and is probably not possible in a Mac App Store app.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] And, at worst, can cause trusted execution problems.

I recently received a message saying

The entitlement for DriverKit UserClient Access, DriverKit has been assigned to your account, and you can now configure this capability for eligible apps. If you’re enrolled as an organization, Admins on your team can also use this capability.

Since this is my first time to deal with entitlement, I have a very stupid question, i.e. based on this Email, can I develop code and run it with on the framework provided by hvkc?

I have a very stupid question

Actually, that’s a very complicated question )-: And it’s hard to answer without knowing more about how your code is set up and how the driver you’re trying to talk to is set up. Given that latter, I’m going to defer to hvkc on this one.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

"SYSTEM EXTENSION" entitlements in framework
 
 
Q