Hi all,
I’ve run into a signing/entitlements problem that shows up only on Big Sur (11.x).
The very same .app launches perfectly on Monterey (12), Ventura (13), Sonoma (14 / 14.5) and Sequoia (15).
Failure on macOS 11
com.apple.xpc.launchd[1] (application.app.myapp.exams.566312.566318[1602]):
removing service since it exited with consistent failure –
OS_REASON_CODESIGNING |
When validating …/MyAppNameBlurred 3.13.1.app/Contents/MacOS/MyAppNameBlurred 3.13.1:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
Binary is improperly signed.
Launching from Terminal:
open -a "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app"
kLSNoLaunchPermissionErr (-10826) | Launchd job spawn failed with error: 153
What I’ve already checked
# signature itself
codesign -dvvv "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app"
# => valid, Authority = Developer ID Application, runtime enabled
# full deep/strict verification
codesign --verify --deep --strict -vvv "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app"
# => “satisfies its Designated Requirement”
# Gatekeeper assessment
spctl --assess --type execute --verbose=4 "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app"
# => accepted (override security disabled)
# embedded provisioning profile matches bundle ID
codesign -d --entitlements :- "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app" | plutil -p -
security cms -D -i "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app/Contents/embedded.provisionprofile" \
| plutil -extract Entitlements xml1 -o -
# => both show the AAC entitlement and everything looks in order
# notarization ticket
stapler validate "/Users/admin/Downloads/MyAppNameBlurred 3.13.1.app"
# => “The validate action worked!”
Deployment target: MACOSX_DEPLOYMENT_TARGET = 11.0
Entitlement added: com.apple.developer.automatic-assessment-configuration = true
Provisioning profile: generated this year via Developer ID, includes the assessment entitlement and nothing else unusual.
Runtime code: we call AEAssessmentSession's network configuration part only on 12 + (guarded with @available(macOS 12.0, *)).
Has anyone hit this mismatch on 11.x? Could Big Sur be expecting something older or idk?
Any pointers appreciated!
Thanks!
3
0
341