How to use a provisioning profile without Xcode

Question

Created Feb ’22

Replies 2

Boosts 0

Views 2.7k

Participants 2

We have a new application I'm writing that uses the endpoint security entitlement. The profile seems to be something we can set up via xcode, but we are not using xcode. We use custom makefiles and manually codesign. When we try to use this entitlement, it fails to load with this error:

Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements:

It appears that this is most likely because we aren't using a provisioning profile, but instead, just using codesign to set hardening and the endpoint security entitlement.

I have not found any information about how to fix this, and I am relatively new to apple osx development, so any help would be appreciated!

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’22

Accepted Answer

There are two issues here:

If you’re building a daemon, rather than a system extension, you need to put it in an app-like structure. See Signing a Daemon with a Restricted Entitlement.
If you’re building outside of Xcode, you have to package and sign your code correctly. This can be quite a challenge. I have a number of DevForums posts and documents that can help, referenced below, but in many case your best option is to create a dummy Xcode project, use it to build the code, and then look at what it built and how it build it (you can find build transcripts in the Report navigator).

Anyway, on the post and docs front:

Signing a Mac Product For Distribution DevForums post
--deep Considered Harmful DevForums post
Manual Code Signing Example DevForums post
Placing Content in a Bundle
Embedding Nonstandard Code Structures in a Bundle
Notarizing macOS Software Before Distribution
Signing a Daemon with a Restricted Entitlement

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

DTS Engineer OP

Apple

Feb ’22

Endpoint Security is an additional capability that you enable on your App ID using the developer web site. For the official docs on that, see Developer Account Help > Reference > Provisioning with managed capabilities, and specifically the Editing an App ID with additional capabilities for Xcode & Xcode Cloud section. My Using the Multicast Networking Additional Capability > New Process post has a bunch of extra details (albeit focused on a different additional capability, one that’s only available on iOS).

You wrote:

which my team is approved for

Make sure you read that approval response carefully. It seems that the ES approval folks often approve an application for development only, not deployment. I learn that lesson the hard way via this thread )-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1