Hello, I’m encountering a confusing issue on macOS related to distributing a notarized app via PKG inside a DMG, built in a Docker environment. Here’s the full workflow: Steps: I build and notarize my macOS app on macOS. I package the app into a PKG and also notarize the PKG. I put the PKG and additional resources into a Docker container. Inside Docker, I download the resources and use genisoimage to create a DMG containing the PKG + resources. I mount the DMG on macOS, then double-click the PKG inside the DMG to install the app. After installation, when I try to open the app, macOS reports: “App is damaged and can’t be opened. You should move it to the Trash.” However, if I first copy the PKG from the DMG to /tmp via a script, then run the installation, the app opens and runs correctly. Observations: Both the app and PKG are properly notarized. This only happens when installing directly from the DMG built via Docker + genisoimage. Copying to a temporary location seems to bypass the issue. Using hdiutil to create the DMG may mitigate the issue, but I need to reproduce this in a Docker-based CI/CD workflow. Questions: Why does installing a notarized PKG directly from a DMG generated in Docker via genisoimage sometimes cause macOS to report the app as damaged? Could this be related to quarantine/xattr, permissions, or some subtle notarization issue when creating DMGs in Docker? What is the recommended way to structure DMG + PKG in an automated environment to ensure Gatekeeper and notarization work correctly? Thanks in advance for any insights or guidance!

My app uses CGEventTapCreateForPid to monitor keyboard events of a corresponding process. My app has already enabled the Accessibility permission, and AXIsProcessTrustedWithOptions returns true. However, CGEventTapCreateForPid returns null. What could be the problem? Does anyone know? I tested and found that if CGEventTapCreateForPid returns null, I can reset the Accessibility permission using tccutil reset Accessibility myapp_bundleid without restarting my app. But my app can still get the permission through AXIsProcessTrustedWithOptions

I have created a USB filter using Mac DriverKit, but the filter is unable to retrieve configuration information during startup. After the USB filter has started and registered the service, my app can send the configuration information to the filter. Therefore, I would like to know if there is a way to exit the USB filter and allow the system to take control of the USB device once the filter has exited. I have tried calling Terminate(0), but it did not work as even after the USB filter exited, the Finder still couldn't display the USB device.

I want to use DriverKit to develop a USBDriver, which serves as a bridge between USB devices and the system. All messages between USB devices and the system will be forwarded through the USBDriver. Can anyone give me some tips or suggestions? What API should I use? I couldn't find anything like this in the documentation or sample code. class MyUSBDriver: public IOUserClient { public: virtual bool init() override; virtual kern_return_t Start(IOService * provider) override; virtual kern_return_t Stop(IOService * provider) override; virtual void free() override; virtual kern_return_t GetRegistryEntryID(uint64_t * registryEntryID) override; virtual kern_return_t NewUserClient(uint32_t type, IOUserClient** userClient) override; virtual kern_return_t ExternalMethod(uint64_t selector, IOUserClientMethodArguments* arguments, const IOUserClientMethodDispatch* dispatch, OSObject* target, void* reference) override; }; I am now able to retrieve the device descriptor in the Start method IOUSBHostDevice *device = OSDynamicCast(IOUSBHostDevice, provider); if (device) { const IOUSBDeviceDescriptor *deviceDescriptor = device->CopyDeviceDescriptor(); if (deviceDescriptor) { uint16_t idVendor = deviceDescriptor->idVendor; uint16_t idProduct = deviceDescriptor->idProduct; uint8_t iSerialNumber = deviceDescriptor->iSerialNumber; IOUSBHostFreeDescriptor(deviceDescriptor); } }

Is there a way to synchronously retrieve configuration information from the app or read configuration information from a file within the Start method of DriverKit? I have attempted to use OSMappedFile to read a file, but my driver crashes or I receive the error message "Sandbox: com.injection.epusbfilter.dext(20610) deny(1) file-read-data /private/tmp/driverkit_config.txt" in the console, even though I have set com.apple.security.app-sandbox to false. OSMappedFile *mappedFile; do { const char *path = "/private/tmp/cfg"; // 创建 OSMappedFile 实例 kern_return_t result = OSMappedFile::createFromPath(path, 0, 0, &mappedFile); if (result != KERN_SUCCESS) { Log("Failed to create and map the file."); ret = -1; break; } *size = mappedFile->size(); // 获取映射到内存中的数据 char *charData = reinterpret_cast<char *>(const_cast<void *>(mappedFile->data())); Log("get cfg:%s", charData); if (strlen(charData) > 0) { if (charData[0] == '1') { ret = 1; break; } } else { ret = -2; break; } } while(false); mappedFile->free();

I created a driver using DriverKit on Intel macOS 12.6.1 and Xcode 13.3. I enabled auto-manage signing, and set the signing certificate to 'Sign to Run Locally'. Then, I created a provision profile for the driver and selected my M1 test device. After installing the profile, I ran the app on the M1 device and successfully activated the driver. When I plugin the USB device, I can see the following log: DK: epusbfilter-0x100009dce::start(IOUSBHostInterface-0x10000946d) ok epusbfilter - init com.injection.epusbfilter.dext[57573] Corpse failure, too many 6 I also found a crash log ------------------------------------- Translated Report (Full Report Below) ------------------------------------- Process: com.injection.epusbfilter.dext [53185] Path: /Library/SystemExtensions/*/com.injection.epusbfilter.dext Identifier: com.injection.epusbfilter.dext Version: 1.0 (1) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 270 Date/Time: 2023-09-19 15:01:01.8502 +0800 OS Version: macOS 13.2 (22D49) Report Version: 12 Anonymous UUID: 5EB7EBD9-A435-FC45-73E6-C2C5844A8082 Time Awake Since Boot: 79000 seconds System Integrity Protection: disabled Crashed Thread: 1 Dispatch queue: Root Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Application Specific Information: abort() called Thread 0: 0 libsystem_kernel.dylib 0x1d5043b78 __semwait_signal_nocancel + 8 1 libsystem_c.dylib 0x1d4fcfec8 nanosleep$NOCANCEL + 212 2 libsystem_c.dylib 0x1d4fee204 sleep$NOCANCEL + 48 3 libdispatch.dylib 0x1d4f807b4 _dispatch_queue_cleanup2 + 200 4 libsystem_pthread.dylib 0x1d50fbc50 _pthread_tsd_cleanup + 132 5 libsystem_pthread.dylib 0x1d50f3220 _pthread_exit + 88 6 libsystem_pthread.dylib 0x1d50f4180 pthread_exit + 88 7 libdispatch.dylib 0x1d4f7bbcc dispatch_main + 128 8 DriverKit 0x1d4d33178 DriverExecutableMain + 84 9 dyld 0x104e95e50 start + 2544 Thread 1 Crashed:: Dispatch queue: Root 0 libsystem_kernel.dylib 0x1d5043720 __pthread_kill + 8 1 libsystem_pthread.dylib 0x1d50f40ec pthread_kill + 268 2 libsystem_c.dylib 0x1d5033cac abort + 180 3 DriverKit 0x1d4d5f890 panic + 256 4 DriverKit 0x1d4d5fa60 __assert_rtn + 88 5 DriverKit 0x1d4d60010 OSMetaClassBase::Invoke(IORPC) (.cold.1) + 44 6 DriverKit 0x1d4d32064 OSMetaClassBase::Invoke(IORPC) + 1396 7 DriverKit 0x1d4d32c5c Server(void*, mach_msg_header_t*, mach_msg_header_t*) + 520 8 DriverKit 0x1d4d3b420 uiomessage(void*) + 180 9 DriverKit 0x1d4d34694 uiomachchannel(void*, dispatch_mach_reason_t, dispatch_mach_msg_s*, int) + 380 10 libdispatch.dylib 0x1d4f8868c _dispatch_mach_msg_invoke + 472 11 libdispatch.dylib 0x1d4f74484 _dispatch_lane_serial_drain + 380 12 libdispatch.dylib 0x1d4f89620 _dispatch_mach_invoke + 852 13 libdispatch.dylib 0x1d4f74484 _dispatch_lane_serial_drain + 380 14 libdispatch.dylib 0x1d4f75130 _dispatch_lane_invoke + 436 15 libdispatch.dylib 0x1d4f7640c _dispatch_workloop_invoke + 1784 16 libdispatch.dylib 0x1d4f7ff5c _dispatch_workloop_worker_thread + 652 17 libsystem_pthread.dylib 0x1d50f5024 _pthread_wqthread + 404 18 libsystem_pthread.dylib 0x1d50fc678 start_wqthread + 8 Thread 2: 0 libsystem_pthread.dylib 0x1d50fc670 start_wqthread + 0 Thread 3: 0 libsystem_kernel.dylib 0x1d504401c __sigsuspend_nocancel + 8 1 libdispatch.dylib 0x1d4f808b4 _dispatch_sigsuspend + 48 2 libdispatch.dylib 0x1d4f80884 _dispatch_sig_thread + 56 Thread 1 crashed with ARM Thread State (64-bit): x0: 0x0000000000000000 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0x0000000000000000 x4: 0xffffa0016a011948 x5: 0x0000000000000010 x6: 0x00006000010481b0 x7: 0x0000000000000000 x8: 0x725b4b6e56620c88 x9: 0x725b4b6f3d67bc88 x10: 0x00000000000001b0 x11: 0x0000600001048000 x12: 0x0000000000000090 x13: 0x00000000ffffff92 x14: 0x00000000000007fb x15: 0x0000000080636ffb x16: 0x0000000000000148 x17: 0x00000001d7176c60 x18: 0x0000000000000000 x19: 0x0000000000000006 x20: 0x0000000000004003 x21: 0x000000016b05b0e0 x22: 0x0000000000000000 x23: 0x00006000010480e8 x24: 0x0000600001048058 x25: 0xd200fde7d57ecca6 x26: 0x0000000000000085 x27: 0x000060000374c328 x28: 0x0000600001d4c000 fp: 0x000000016b059a90 lr: 0x00000001d50f40ec sp: 0x000000016b059a70 pc: 0x00000001d5043720 cpsr: 0x40001000 far: 0x0000600002c48000 esr: 0x56000080 Address size fault Binary Images: 0x1d503a000 - 0x1d5075fe3 libsystem_kernel.dylib (*) <60df52bd-fc1a-3888-b05b-24b44be3af15> /System/DriverKit/usr/lib/system/libsystem_kernel.dylib 0x1d4fc6000 - 0x1d5039fff libsystem_c.dylib (*) <eee04d9a-7574-3a74-8f4e-cfb05f89f7da> /System/DriverKit/usr/lib/system/libsystem_c.dylib 0x1d4f62000 - 0x1d4fadfff libdispatch.dylib (*) <4e310a5c-9629-305e-a1dd-6632bddd3362> /System/DriverKit/usr/lib/system/libdispatch.dylib 0x1d50ee000 - 0x1d50fdff3 libsystem_pthread.dylib (*) <c1ed564d-b480-3058-937e-b40c3d3df09d> /System/DriverKit/usr/lib/system/libsystem_pthread.dylib 0x1d4d27000 - 0x1d4d6b00d DriverKit (*) <839dc0a2-1e69-38e8-8bf5-ff0ecc531539> /System/DriverKit/System/Library/Frameworks/DriverKit.framework/DriverKit 0x104e90000 - 0x104f1bfff dyld (*) <fe8a9d9e-f65d-34ca-942c-175b99c0601b> /usr/lib/dyld Could anyone please help me with resolving this problem?

I created a driver using DriverKit on Intel macOS 12.6.1 and Xcode 13.3. I enabled auto-manage signing, and set the signing certificate to 'Sign to Run Locally'. Then, I created a provision profile for the driver and selected my M1 test device. After installing the profile, I ran the app on the M1 device and successfully activated the driver. However, when I tried to compile the project on M1 macOS 13.3 with Xcode 14.3.1, I encountered an error. It appears that DriverKit does not support the 'Sign to Run Locally' option on M1 devices. To resolve this issue, I switched to using the 'Apple Development' signing certificate. Unfortunately, even after making this change, I still received an error message regarding 'Sign to Run Locally' from the Xcode console. Both devices are logged in with the same developer account. Could you please advise me on how to resolve this problem? iig: #include <Availability.h> #include <DriverKit/IOService.iig> #include <DriverKit/IOUserClient.iig> //class OSAction; class epusbfilter: public IOService { public: virtual bool init() override; virtual kern_return_t Start(IOService * provider) override; virtual kern_return_t Stop(IOService * provider) override; virtual void free() override; virtual kern_return_t GetRegistryEntryID(uint64_t * registryEntryID) override; }; cpp: #include <os/log.h> #include <DriverKit/IOUserServer.h> #include <DriverKit/IOLib.h> #include <USBDriverKit/IOUSBHostInterface.h> #include <USBDriverKit/IOUSBHostPipe.h> #include "epusbfilter.h" #define Log(fmt, ...) os_log(OS_LOG_DEFAULT, "epusbfilter - no super," fmt "\n", ##__VA_ARGS__) struct epusbfilter_IVars { IOUSBHostInterface *interface; IOUSBHostPipe *inPipe; OSAction *ioCompleteCallback; IOBufferMemoryDescriptor *inData; uint16_t maxPacketSize; }; bool epusbfilter::init() { bool result = false; Log("init"); result = super::init(); return result; } void epusbfilter::free() { super::free(); Log("free"); } kern_return_t IMPL(epusbfilter, Start) { kern_return_t ret; Log("Start"); ret = Start(provider, SUPERDISPATCH); return ret; } kern_return_t IMPL(epusbfilter, Stop) { kern_return_t ret = kIOReturnSuccess; Log("Stop"); ret = Stop(provider, SUPERDISPATCH); return ret; } kern_return_t IMPL(epusbfilter, GetRegistryEntryID) { Log("GetRegistryEntryID"); return GetRegistryEntryID(registryEntryID, SUPERDISPATCH); } info.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>IOKitPersonalities</key> <dict> <key>epusbfilter</key> <dict> <key>CFBundleIdentifier</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>CFBundleIdentifierKernel</key> <string>com.apple.kpi.iokit</string> <key>IOProviderClass</key> <string>IOUSBHostInterface</string> <key>IOClass</key> <string>IOUserUserClient</string> <!-- <key>IOResourceMatch</key>--> <!-- <string>IOKit</string>--> <key>IOUserClass</key> <string>epusbfilter</string> <key>IOUserServerName</key> <string>com.injection.epusbfilter.dext</string> <key>bConfigurationValue</key> <integer>1</integer>--> <key>bInterfaceNumber</key> <integer>0</integer> <key>idVendor</key> <string>*</string> <key>idProduct</key> <string>*</string> <key>UserClientProperties</key> <dict> <key>IOClass</key> <string>IOUserUserClient</string> <key>IOUserClass</key> <string>epusbfilter</string> </dict> </dict> </dict> </dict> </plist> entitlemens: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.developer.driverkit</key> <true/> <key>com.apple.developer.driverkit.transport.usb</key> <array> <dict> <key>idVendor</key> <string>*</string> <key>idProduct</key> <string>*</string> </dict> </array> </dict> </plist>

I have a requirement where I need to monitor writes/reads from arbitrary USB devices. Can I do it with USBDriverKit?

I'v used command sudo kextutil -v /Library/Extensions/mykext but got error: Error Domain=KMErrorDomain Code=71 "Kernel request failed: (libkern/kext) not loadable (reason unspecified) (-603946989)" UserInfo={NSLocalizedDescription=Kernel request failed: (libkern/kext) not loadable (reason unspecified) (-603946989)} and SIP is disabled mac@bogon ~ % csrutil status System Integrity Protection status: disabled. maybe, reset nvram is effective. is there anyone have known how to resolve it by other way?