Ah yes. A good case of RTFM! From the docs on AVAssetWriterInput::readyForMoreMediaData: Clients writing media data from a real-time source, such as an instance of AVCaptureOutput, should set the input's expectsMediaDataInRealTime property to YES to ensure that the value of readyForMoreMediaData is calculated appropriately. When expectsMediaDataInRealTime is YES, readyForMoreMediaData will become NO only when the input cannot process media samples as quickly as they are being provided by the client. If readyForMoreMediaData becomes NO for a real-time source, the client may need to drop samples or consider reducing the data rate of appended samples. In our case, the real time source is our render engine producing sweet graphics! We're in the VFX world and tend to get a little over-eager when we start a project. I had the stream at 4K without enough optimizations. In MV-HEVC we are doubling that up sort of). While our render cycle is fast enough, we haven't had enough optimization on the HLS tooling done and it was causing the readyForMoreMediaData to become NO. When you spam the adapter with buffers it's not ready for, it appears to hang and, AFAICT never return. For now we've have opted to drop the frames as required to stay up with the stream. /// Called every (1 / framerate) seconds (with a little wiggle) /// from our plugin interface void HLSInterface::writeFrame() { CMTime pts = CMTimeMake( m_frameIndex++ * m_frameRateDuration, m_frameRateScale ); if (![m_video readyForMoreMediaData]) { // We can't use this buffer, skip it for now. Ideally // this never happens but we can't trust the input // adapter not to explode if we overload it return; } // We can accept buffers, tagged or otherwise, so do // the thing // ... }

Thanks once again for all of your efforts! This has been quite valuable information. I think I should point out more details about our setup and why I believe this is causing us more headaches: All of our executables in the bundle generate a UI (three Qt applications). Due to the nature of macOS applications trying to boot multiple under the same Info.plist just isn't going to cut it no matter how we sign/validate it. We tried a cheeky hack of symlinking the parent directories within an ExecA.app/Contents/bin/ExecB.app/Contents/... folder (with a custom Info.plist and standalone entitlements) to see if we could spare library duplication but this fails with some humorous results. Perhaps this is doable in some other sense? For now, we're throwing this away and just generating three different .apps that will launch one-another. We're not sure how best to locate the other apps once deployed, but that's a bridge we'll cross soon. In the interest of knowledge for a future pass, is there a means of deploying an app-within-an-app that consumes the same frameworks/libraries without duplication?

Attempting to test this embedded profile and just getting more lost it seems. After changing the entitlements for exec_a (based on the App.app bundle) to: com.apple.application-identifier com.apple.developer.team-identifier com.apple.security.app-sandbox com.apple.security.cs.disable-library-validation com.apple.security.files.user-selected.read-write com.apple.security.network.client com.apple.security.network.server Where the value of the first is: <teamid>.com.<company>.<app> that matches the format we're expecting. And the team-identifier is <teamid> that matches our team. I've gone mad quadruple checking the values line up as expected based on your other posts on this forum. The exec_b entitlements are: com.apple.security.app-sandbox com.apple.security.cs.disable-library-validation com.apple.security.inherit Of which is based on the table you posted above. We then built manual profiles for both a Mac App Store and macOS Development profile that includes the cert that we're signing these things with. I've tried embedding either profile (one at a time) into the Contents folder as described in one of you posts and I fail to get results from either of them. Once done we can't launch anything anyone (I assume because of the bad profile/mixup of entitlements). With the embedded profile in the Contents directory we get an error in Console.app like: Only Development Provisioning Profiles can be installed in System Settings. Production Provisioning Profiles are imported within Xcode Perhaps this is because we're trying to run things not delivered by the Mac Store yet. It's confusing and unclear at each step. If I take out the profile, downloading them manually through Xcode, Console.app is giving us: Unsatisfied entitlements: com.apple.developer.team-identifier We're crashing and burning here.

Getting back to this! Thanks again or the detailed response. The ugly truth is we need exec_b to be run from exec_a and by thirdparty tools that might need to call up it's UI. Think of exec_a as a sort of launcher program that orchestrates exec_b instances it's called up but so too do other parts of our pipeline, potentially. [quote='831858022, DTS Engineer, /thread/778169?answerId=831858022#831858022'] Add com.apple.application-identifier and com.apple.developer.team-identifier to your App. [/quote] Where should this be put? In the entitlements.plist we use while signing App? If we're to test the .inherit entitlement to just get exec_a launching exec_b, you're describing something like: # codesign other binaries... (macdeployqt does much of this work) # Sign child exec codesign ... --entitlements=./entitle_child.plist .../exec_b # Then sign the App (including the com.apple.application... tags) codesign ... --entitlements=./entitle_app.plist .../App.app Apologies if I'm missing the mark here. App validation like this is a bit out of my wheelhouse and everything feels like a crash course at the moment. Extra Detail It's worth noting that we've submitted to TestFlight Internal well enough with each of the applications as their own app (e.g. exec_a is the primary executable in ExecA.app, exec_b in ExecB.app, etc.) without the additional entitlement changes. We've had users run and test those programs on their own. Does this mean the com.apple.application-identifier and other entitlement are purely for getting these extra executables to function?

Quinn! Thank you for your efforts and details. Your posts on this forum have been a lifesaver for those of us new to the world of Apple development/deployment. Current Entitlements Each of our executables require the same entitlements: com.apple.security.app-sandbox com.apple.security.cs.disable-library-validation com.apple.security.files.user-selected.read-write com.apple.security.network.client com.apple.security.network.server From the research into the articles you posted, it seems like these are all safe to inherit but I could be wrong about that! And if it's all going to TestFlight then I suppose it's restricted? The lib validation is disabled because we include a plugin ecosystem through Qt. I've tried adding the com.apple.security.inherit in our entitlements but am still seeing the same issue. Here's the entitlements for the exec_b (and exec_a) > codesign -d --entitlements - exec_b Executable=/Users/foo/src/SomeApp.app/Contents/MacOS/exec_b [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.cs.disable-library-validation [Value] [Bool] true [Key] com.apple.security.files.user-selected.read-write [Value] [Bool] true [Key] com.apple.security.inherit [Value] [Bool] true [Key] com.apple.security.network.client [Value] [Bool] true [Key] com.apple.security.network.server [Value] [Bool] true Syslog I then moved through the Console.app and found that, upon launching the errant executable from the command line, this form of error is logged: Unable to get bundle identifier for container id exec_b: Unable to get bundle identifier because Info.plist from code signature information has no value for kCFBundleIdentifierKey. I assume this is due to trying to launch the non-default application in the bundle. Is there any means of spelling out this is a valid application without a snarly bundle and symlink web? Cheers

As mentioned in my ticket: The root of the issue appeared to be with the formation of the archive. I forced the archive to include an additional directory after Products (something I noticed other archives had) and the crash no longer occurred. The code sign didn't mind the original structure but once it came time to build the zip, an assert was triggered because it was expecting an additional directory. .xarchive/Products/MyApp.app Vs. .xarchive/Products/Applications/MyApp.app I would recommend an addition to the validation tooling to check for this malformed archive and fail sooner! Let me know that I have a bad orchestration. It was a real head scratcher for days!

Hey thanks for the followup. I've posted the bug on the feedback app. Ticket: FB16709928

Looking into the issue more, we see it crashing when attempting to zip the files after signing. Particularly any .so files that hide among the internals of the app. Not sure if that helps locate the issue any more but perhaps it's something about compressing the files that we're using - however that makes very little sense to me.