I am using sudo -su I did not add "com.apple.developer.team-identifier" to my entitlements. I am using xcode to build and archive, but I am manually signing and notarizing. I created a disk image using a script I found in another of your posts: (Manual Code Signing Example) Here is some more information on the executable: #codesign -dv --verbose=4 ./DaemonInAppsClothing Executable=/Library/Application Support/DaemonInAppsClothing/DaemonInAppsClothing.app/Contents/MacOS/DaemonInAppsClothing Identifier=Fidelis.DaemonInAppsClothing Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=1032 flags=0x10000(runtime) hashes=21+7 location=embedded VersionPlatform=1 VersionMin=786688 VersionSDK=786688 Hash type=sha256 size=32 CandidateCDHash sha256=8a7f854608607af4862cc81643c9a694e645b990 CandidateCDHashFull sha256=8a7f854608607af4862cc81643c9a694e645b990a283366dce26b3000f6bff05 Hash choices=sha256 CMSDigest=8a7f854608607af4862cc81643c9a694e645b990a283366dce26b3000f6bff05 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=32768 Executable Segment flags=0x1 Page size=4096 CDHash=8a7f854608607af4862cc81643c9a694e645b990 Signature size=9003 Authority=Developer ID Application: Fidelis Cybersecurity, INC (AMLU8UA7F6) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Feb 28, 2022 at 10:12:08 AM Info.plist entries=20 TeamIdentifier=AMLU8UA7F6 Runtime Version=12.1.0 Sealed Resources version=2 rules=13 files=944 Internal requirements count=1 size=64 So I think somehow it does know my identity, but something I changed recently won't let it run on 11.X. It now tells me I need version 12.1 or newer for this app.

I have created and downloaded several profiles, but XCode always complains that the profile does not include the signing certificate! Not sure what I'm doing wrong. I have the signing cert and private key in my keychain. What am I missing?

I have this working now. First, I changed my code structure: ProtectOnAccess.app ProtectOnAccess.app/Contents ProtectOnAccess.app/Contents/_CodeSignature ProtectOnAccess.app/Contents/_CodeSignature/CodeResources ProtectOnAccess.app/Contents/MacOS ProtectOnAccess.app/Contents/MacOS/ProtectOnAccess ProtectOnAccess.app/Contents/Resources ProtectOnAccess.app/Contents/Resources/Info.plist ProtectOnAccess.app/Contents/embedded.provisionprofile ProtectOnAccess.app/Contents/Info.plist ProtectOnAccess.app/Contents/PkgInfo I removed these folders: ProtectOnAccess.app//Contents/_CodeSignature/CodeDirectory ProtectOnAccess.app//Contents/_CodeSignature/CodeRequirements-1 ProtectOnAccess.app//Contents/_CodeSignature/CodeSignature ProtectOnAccess.app//Contents/_CodeSignature/CodeRequirements Next thing I had to do was change my executable name from protect_am to ProtectOnAccess in order to match what was in the CFBundleExecutable property in Info.plist. Finally, when copying my code to the Application Support folder, I needed to remove what was there previously and then copy in the new application. This assigns a new inode to the files, which avoids a bug where the cached kernel copy of the executable is not refreshed. Thanks, Quinn!

Yes, though I have tried it both ways. I am at a loss as to how to get this to work.

It doesn't look like it: ps ajxww|grep -i sysex|grep -v grep root 6290 1 6290 0 0 Ss ?? 0:00.16 /System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd ps ajxww|grep -i endpoint|grep -v grep root 75 1 75 0 0 Ss ?? 0:00.02 endpointsecurityd I don't believe I have seen an ES man page, and that link you added doesn't take you there either.

Yes, and I have enabled it in the identifier for this sample:

Yes, it is correct. Here is the email I received: Hello, Your request to use Endpoint Security was approved. You will need to enable two capabilities for your Bundle ID. Click Identifiers in the sidebar, then select the Mac App ID that you will use for Endpoint Security. Under Capabilities, enable System Extension. Under Additional Capabilities, enable Endpoint Security. Click Save in the top-right of the page, review the alert that appears, and confirm if you accept the changes. Then generate a new provisioning profile for your App ID by clicking Profiles in the sidebar and the Add button (+) in the upper-left corner. Once your profile has been created, you'll need to configure your Xcode project for manual code signing. If your Xcode project doesn't already have an entitlements file, create a new property list file and change its extension from .plist to .entitlements. Add the keys and values of the entitlements used in your project to the .entitlements file, then follow the rest of the Xcode manual signing process. For troubleshooting, see Technote 2415 Entitlements Troubleshooting and Debugging Entitlement Issues. If you need additional support, visit the Apple Developer Forums or submit a Technical Support Incident. Best regards, Apple Developer Relations I am using the correct developer ID signing certificate for both the app and the extension: Having gone through this process three times now, with the same results, and I'm sure something is missing in the documentation. Obviously, someone has been able to run this prior to my attempts.

I have not been able to get past the build step even with the Apple developer ID: Xcode produces this output: Showing All Messages CodeSign /Users/dburns/Library/Developer/Xcode/DerivedData/SampleEndpointApp-gluqgtgmgmygtkhgptdeksvjhymc/Build/Products/Debug/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension (in target 'Extension' from project 'SampleEndpointApp')   cd /Users/dburns/Downloads/MonitoringSystemEventsWithEndpointSecurity   export CODESIGN_ALLOCATE\=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate       Signing Identity:   "Apple Development: Darrell Burns (Z28Q26L68P)"   Provisioning Profile: "Mac Team Provisioning Profile: *"              (122c0ef2-e0dd-46ba-aaf0-e328878c59ba)       /usr/bin/codesign --force --sign B841650ADB2CD18298DB8682592DEE4D546B3A81 -o runtime --entitlements /Users/dburns/Library/Developer/Xcode/DerivedData/SampleEndpointApp-gluqgtgmgmygtkhgptdeksvjhymc/Build/Intermediates.noindex/SampleEndpointApp.build/Debug/Extension.build/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension.xcent --timestamp\=none --generate-entitlement-der /Users/dburns/Library/Developer/Xcode/DerivedData/SampleEndpointApp-gluqgtgmgmygtkhgptdeksvjhymc/Build/Products/Debug/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension B841650ADB2CD18298DB8682592DEE4D546B3A81: no identity found Command CodeSign failed with a nonzero exit code Having verified that the signing identity is actually there, and valid, not sure what else to do: Policy: X.509 Basic  Matching identities  1) EED3A8A1BF2EA9067467F2114813C5A0F50D5F01 "Developer ID Application: Fidelis Cybersecurity, INC (AMLU8U****)"  2) 2059C6EC07FD91BB9AC933E5059BE41374E2103C "Apple Development: Darrell Burns (Z28Q26L68P)"    2 identities found  Valid identities only  1) EED3A8A1BF2EA9067467F2114813C5A0F50D5F01 "Developer ID Application: Fidelis Cybersecurity, INC (AMLU8U****)"  2) 2059C6EC07FD91BB9AC933E5059BE41374E2103C "Apple Development: Darrell Burns (Z28Q26L68P)"    2 valid identities found

Thank you. I was able to fix the signing, and build the sample. I deployed it following the instructions at Monitoring System Events with Endpoint Security. It is still not working! 2022-06-24 10:03:41.336276-0700 0x2afd13a Error 0x0 10092 0 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Disallowing: com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension 2022-06-24 10:03:41.336858-0700 0x2afd136 Default 0x0 58495 0 amfid: /Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension signature not valid: -67671 2022-06-24 10:03:41.336976-0700 0x2afd31d Default 0x0 0 0 kernel: mac_vnode_check_signature: /Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: code signature validation failed fatally: When validating /Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: 2022-06-24 10:03:41.337005-0700 0x2afd31d Default 0x0 0 0 kernel: proc 10165: load code signature error 4 for file "com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension" 2022-06-24 10:03:41.337947-0700 0x2afd31e Default 0x0 0 0 kernel: com.example.apple-samplecode.Sam[10165] Corpse allowed 1 of 5 2022-06-24 10:03:43.610407-0700 0x2afd13d Default 0x0 74723 0 ReportCrash: Formulating fatal 309 report for corpse[10165] com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extensi 2022-06-24 10:03:43.612784-0700 0x2afd13d Default 0x0 74723 0 ReportCrash: Unable to find store record for 'file:///Library/SystemExtensions/29740531-05AF-45A5-86BA-B90086AD3947/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/': Error Domain=NSOSStatusErrorDomain Code=-10811 "kLSNotAnApplicationErr: Item needs to be an application, but is not" UserInfo={_LSLine=175, _LSFunction=_LSFindBundleWithInfo_NoIOFiltered} 2022-06-24 10:03:43.628775-0700 0x2afd13d Default 0x0 74723 0 ReportCrash: com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension is not a MetricKit client 2022-06-24 10:03:43.629125-0700 0x2afd13d Default 0x0 74723 0 ReportCrash: (CoreAnalytics) [com.apple.CoreAnalytics.stability-event:event-send] Sending event: com.apple.stability.crash {"bundleID":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension","bundleVersion":"1","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n 0,\n 0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"81CBD9E8-3A8D-4A7A-88CF-628648696D26","logwritten":0,"process":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extensi","terminationReasonExceptionCode":"0x1","terminationReasonNamespace":"CODESIGNING"} 2022-06-24 10:03:43.630773-0700 0x2afd1fc Default 0x0 221 0 analyticsd: [com.apple.CoreAnalytics.stability-event:event-recv] Received event: com.apple.stability.crash {"bundleID":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension","bundleVersion":"1","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n 0,\n 0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"81CBD9E8-3A8D-4A7A-88CF-628648696D26","logwritten":0,"process":"com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extensi","terminationReasonExceptionCode":"0x1","terminationReasonNamespace":"CODESIGNING"} 2022-06-24 10:03:43.631178-0700 0x2afd1fc Default 0x0 221 0 analyticsd: [com.apple.CoreAnalytics.stability-event:event-aggregated] Aggregated. Transform: StabilityC

It seems the extension is signed...can you help me figure out what is wrong here? Executable=/Library/SystemExtensions/34B35D7A-4544-4CE1-BEB1-E32288BBEFA4/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension Identifier=com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension Format=bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=814 flags=0x10000(runtime) hashes=13+7 location=embedded VersionPlatform=1 VersionMin=720896 VersionSDK=786688 Hash type=sha256 size=32 CandidateCDHash sha256=6db8ab895938ee314fbfc13c499039a686e16ed8 CandidateCDHashFull sha256=6db8ab895938ee314fbfc13c499039a686e16ed8028605163e830d7fd01d3806 Hash choices=sha256 CMSDigest=6db8ab895938ee314fbfc13c499039a686e16ed8028605163e830d7fd01d3806 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=16384 Executable Segment flags=0x1 Page size=4096 CDHash=6db8ab895938ee314fbfc13c499039a686e16ed8 Signature size=4796 Authority=Apple Development: Darrell Burns (Z28Q26L68P) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=Jun 24, 2022 at 9:20:55 AM Info.plist entries=22 TeamIdentifier=AMLU8UA7F6 Runtime Version=12.1.0 Sealed Resources version=2 rules=13 files=1 Internal requirements count=1 size=232 sh-3.2# codesign -vvv com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension  com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: valid on disk com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension: satisfies its Designated Requirement

Yes. Please refer to this post to see previous communications about this. I decided to start fresh on a new mac. I have looked at the codesign information: /Applications % codesign -dv --verbose=4 ./SampleEndpointApp.app  Executable=/Applications/SampleEndpointApp.app/Contents/MacOS/SampleEndpointApp Identifier=com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6 Format=app bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=868 flags=0x10000(runtime) hashes=15+7 location=embedded VersionPlatform=1 VersionMin=720896 VersionSDK=786688 Hash type=sha256 size=32 CandidateCDHash sha256=7596c38c1169ea807385bc1751506a993d08f615 CandidateCDHashFull sha256=7596c38c1169ea807385bc1751506a993d08f615944fa87b47681c57703b1fc7 Hash choices=sha256 CMSDigest=7596c38c1169ea807385bc1751506a993d08f615944fa87b47681c57703b1fc7 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=16384 Executable Segment flags=0x1 Page size=4096 CDHash=7596c38c1169ea807385bc1751506a993d08f615 Signature size=4796 Authority=Apple Development: Darrell Burns (Z28Q26L68P) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=Aug 2, 2022 at 2:40:28 PM Info.plist entries=24 TeamIdentifier=AMLU8UA7F6 Runtime Version=12.1.0 Sealed Resources version=2 rules=13 files=9 Internal requirements count=1 size=220 And for the extension:  /Applications % codesign -dv --verbose=4 ./com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension  Executable=/Applications/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension Identifier=com.example.apple-samplecode.SampleEndpointAppAMLU8UA7F6.Extension Format=bundle with Mach-O thin (arm64) CodeDirectory v=20500 size=814 flags=0x10000(runtime) hashes=13+7 location=embedded VersionPlatform=1 VersionMin=720896 VersionSDK=786688 Hash type=sha256 size=32 CandidateCDHash sha256=84a463d75d20dda7d3f6cb06b0e0918c97abcd11 CandidateCDHashFull sha256=84a463d75d20dda7d3f6cb06b0e0918c97abcd11f06e22935170b78ada232113 Hash choices=sha256 CMSDigest=84a463d75d20dda7d3f6cb06b0e0918c97abcd11f06e22935170b78ada232113 CMSDigestType=2 Executable Segment base=0 Executable Segment limit=16384 Executable Segment flags=0x1 Page size=4096 CDHash=84a463d75d20dda7d3f6cb06b0e0918c97abcd11 Signature size=4796 Authority=Apple Development: Darrell Burns (Z28Q26L68P) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Signed Time=Aug 2, 2022 at 2:29:15 PM Info.plist entries=22 TeamIdentifier=AMLU8UA7F6 Runtime Version=12.1.0 Sealed Resources version=2 rules=13 files=1 Internal requirements count=1 size=232 This seems correct to me. I am also allowing xcode to do automatic signing.

I deleted the old copies in /Applications, then copied them in new. Still would not work. Then I rebooted the machine, and it is now working. This is extremely confusing, why should I need to reboot to get this working?

Yes, I have been unlocking the keychain. I have been using screen share and terminal, but I have also used SSH with the same result.

To add additional informmation, I tried creating a new user account and importing the certificate there, but in order to do that, I need to export the .p12 from the original account. The problem is that when I try to export it, I get “An invalid key was encountered”, despite the fact the CSR was generated on that account, and certificate assistant evaluates the certificate as good for both general and signing.

Well, it's clear that the keychain is hosed. I'm going to create a new keychain and resubmit for a developer ID. I hate to burn another one, and my hope is that maybe you have the access to revoke and/or delete the previous one I created? If so, please let me know the process for that. The private key is lost/corrupted anyway, and we have not yet successfully signed or released any product with that ID.