Hi, We have recently been approved for Endpoint Security entitlement on our account. We have an application (golang) that we need to assign this entitlement and sign manually. We have packaged the entitlement correctly with the application. We have tried using a Developer ID Application certificate that we created before this entitlement was given to our account and also with a newly created certificate. However the application crashes when it is launched and I see the following error in the console logs (the full crash report is too big to post). Is there anything specific we need to do to attach the Endpoint Security entitlement to our certificate? Any help would be much appreciated, we have been stuck on this for a bit.
Thanks Sriram
Translated Report (Full Report Below)
Incident Identifier: EAA48D72-705A-420B-8179-6D9049A81657 CrashReporter Key: 4F18A957-F0B8-BE5D-A1D7-74191ABCF38A Hardware Model: MacBookPro14,1 Process: endpoint-security-example-test [6728] Path: /Users/USER/*/endpoint-security-example-test Identifier: endpoint-security-example-test Version: ??? Code Type: X86-64 (Native) Role: Unspecified Parent Process: zsh [2463] Coalition: com.apple.Terminal [1663] Responsible Process: Terminal [2417]
Date/Time: 2024-07-31 13:34:45.7397 -0700 Launch Time: 2024-07-31 13:34:45.7294 -0700 OS Version: macOS 13.6.8 (22G820) Release Type: User Report Version: 104
Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid)) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: CODESIGNING 1 Taskgated Invalid Signature
Triggered by Thread: 0
Thread 0 Crashed: 0 0x116b40070 _dyld_start + 0 1 ??? 0x1 ???
Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ff7b0da09d0 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x0000000116b40070 rfl: 0x0000000000000200 cr2: 0x0000000000000000
Logical CPU: 0 Error Code: 0x00000000 Trap Number: 0
Binary Images: 0x116b3b000 - 0x116bd6fff () <2b649d59-89d8-3db6-9ba4-a6aecba42f6e> ??? 0x10f15f000 - 0x10f21afff () <9440f210-132b-3da1-b7f5-4d2d62bc8e0d> ??? 0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
Error Formulating Crash Report: dyld_process_snapshot_get_shared_cache failed
EOF
Is there anything specific we need to do to attach the Endpoint Security entitlement to our certificate?
That questions indicates that you’re missing a big picture understanding of how entitlements work on our system. When you sign an executable with an entitlement, that represents a claim to that entitlement. That claim must be authorised by a provisioning profile [1]. Each profile authorises a specific collection of entitlements, deveolpers, devices, and so on.
I go into this in great detail in TN3125 Inside Code Signing: Provisioning Profiles.
It sounds like your ES client has no profile at all. You’ll need to fix that. If your ES client is a daemon, as opposed to a system extension, you’ll need to rework its packaging. See Signing a daemon with a restricted entitlement.
I also recommend that you read Creating distribution-signed code for macOS. It outlines the process for signing code by hand on the Mac.
IMPORTANT When you sign your code, you must claim both the ES entitlement and the App ID entitlement (com.apple.application-identifier
). Without that, the system may not be able to match your code to its profile.
You should also include the Team ID entitlement (com.apple.developer.team-identifier
), just because that’s what Xcode does (-:
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Except on macOS, where certain entitlements are unrestricted.