Hi everyone,
We're trying to prepare a DriverKit App for a client test, and we've run into an unavoidable signing conflict that seems to be caused by the Xcode Archive process itself.
Background & Environment:
- Environment: macOS 15.6.1, Xcode 16.4
- Our project consists of a main App Target and a DEXT Target.
- Both the
DebugandReleaseconfigurations for both targets are set to Xcode's default:Automatically manage signing. - Our developer account holds a valid, active
Developer ID Application (With Kext)certificate, which we use for signing our legacy KEXT.
The Action That Triggers Failure:
From this clean state, we execute Product -> Archive.
The Archive process fails during the signing validation phase and presents the following three errors, completely halting the process:
There is a problem with the request entity - You already have a current Developer ID Application Managed (With Kext) certificate...No profiles for 'com.company.Acxxx.driver' were found...No profiles for 'com.company.Acxxx.app' were found...
This error seems to indicate that the Xcode Archive process:
- Ignores the project's
Releaseconfiguration (even the default 'Auto' setting). - Attempts to automatically create a new, standard
Developer IDcertificate for us. - This action conflicts with the existing
(With Kext)certificate in our account, causing the entireArchiveprocess to fail.
The "Failed Experiment" to Resolve This:
To work around this automation conflict, we tried the solution: configuring a fully manual signing process for the Release configuration to explicitly tell Xcode to use our existing KEXT certificate.
- Our Steps: We disabled automatic signing for both the App and DEXT targets for the
Releaseconfiguration and manually assigned theDeveloper IDProvisioning Profiles created for ourDeveloper ID (With Kext)certificate. - The New Problem: After doing this, the
Signing Certificatefield for the DEXT Target'sSigning & Capabilitiesinterface now showsNone, accompanied by the misleading warning about needing aDriverKit development profile. - The Outcome: This
Noneissue now prevents us from even starting theArchiveprocess, as the project fails to build due to the incorrect signing configuration. We've tried every debugging step — including rebuilding profiles, validating the keychain, and clearing caches — but nothing resolves thisNoneissue.
Our Dilemma:
- State A (Fully Automatic Signing): The
Archiveprocess fails due to the KEXT certificate conflict. - State B (Manual Release Signing): The project fails to build due to the
Signing Certificate: Noneissue, preventing us from initiating anArchive.
For a development team holding a KEXT Developer ID certificate, how should an Xcode project be configured when migrating to DriverKit, so that the Archive process:
- Does not trigger the flawed automation logic that attempts to create a new certificate?
- And, does not fall into the
Signing Certificate: Noneconfiguration trap?
Related Forum Threads We've Studied:
- https://developer.apple.com/forums/thread/781932
- https://developer.apple.com/forums/thread/751490
- https://developer.apple.com/forums/thread/767152
- https://developer.apple.com/forums/thread/721563
Best Reagrds,
Charles
Hi everyone,
After extensive testing and verification, we have finally resolved the persistent DriverKit archiving and signing errors.
The core issue lies in the fact that Xcode enforces distinctly different certificate requirements for DriverKit targets during the "Build Phase" versus the "Distribution Phase."
We are sharing our successful experience to help other developers facing the same trap.
💡 Core Conclusion
Do not attempt to configure the Distribution Profile directly in Xcode’s Target settings, as this will cause the build to fail.
The correct workflow is:
Use "Development Certificates (Auto)" during the Build/Archive phase, and only swap in the "Distribution Certificates (Manual)" during the Organizer Distribution phase.
🔍 Root Cause Analysis
The DriverKit Linker mandates linking against the Development SDK during the build phase.
If you force a manual Distribution Profile in Xcode’s "Signing & Capabilities" tab, Xcode will fail because it cannot find a matching development certificate (often resulting in errors like Signing Certificate: None), making it impossible to generate an Archive.
Step-by-Step Guide
Phase 1: Xcode Project Settings
- Go to the Signing & Capabilities tab of your DEXT Target.
- Check "Automatically manage signing".
- Ensure Xcode generates a
Team Provisioning Profile(Development) without errors.- Note: This step is crucial to satisfy the compiler's requirement for the Development SDK.
Phase 2: Generating the Archive
- Select
Product->Archive. - Since you are using Auto Signing (Development), the build should complete successfully and appear in the Organizer.
Phase 3: Organizer Distribution
- In the Organizer, click
Distribute App->Direct Distribution(or your preferred distribution method). - When asked for the signing method, you select "Manually manage signing".
- In the Profile selection screen:
- App Target: Select the corresponding App Distribution Profile.
- DEXT Target: Manually select the "DriverKit Distribution Profile" you created in the Developer Portal.
🛠 Verification
After exporting the App, use the following command to check the DEXT entitlements:
codesign -d --entitlements :- "Path/To/Your.app/Contents/Library/SystemExtensions/com.your.driver.dext"
Success Indicators:
- It includes your required hardware entitlements (e.g.,
com.apple.developer.driverkit.family.scsicontroller). - It does NOT include
com.apple.security.get-task-allow. (The absence of this flag confirms that the debug marker has been removed and successfully replaced with a production signature).
Hope this strategy saves everyone some valuable time!