How to sign a DEXT

Signing a distribution USB or PCI DEXT

The issues described above mean that the standard Xcode GUI flow cannot be used to directly export a distribution release of a USB or PCI DEXT. Here is that flow I've found that will work:

Note: The instructions below reference macOS-specific documentation, but the flow I'm describing was actually tested using an iOS project.

1. Start by building the final version of your DEXT.

2. On the portal, generate and download a provisioning profile for whatever environment you're going to try to build. Generate a profile for both the DEXT and the app it will be embedded in.

3. Rename the DEXT profile you downloaded in #2 to "embedded.provisionprofile”.

4. Show the packaged contents of your DEXT and replace the existing "embedded.provisionprofile" (development profile) profile with the file from #3 (the release profile).

5. Use this command to resign the DEXT with the final entitlement configuration you'll be shipping. See the "Sign each code item" section of "Creating distribution-signed code for macOS" for more detailed guidance on constructing this command.

codesign -s <signing cert name> -f --timestamp -o runtime --entitlements <release entitlement.plist path> <dext path>

1. Configure the project for your release project to use manual codesigning and the profile you app profile you downloaded in #2.

2. Add the DEXT you resigned in #5 into your shipping project.

3. Configure the "Copy Files" build phase to copy the DEXT as a System Extension.

4. Archive the build.

5. Use the Organizer to distribute the build to the same environment as the profile you generated in #2.

Note: The flow above relies on the fact that Xcode is using the DEXT's signing configuration "as is" instead of attempting to resign it. That means you'll need to go through the entire flow above for every build type you need to export (App Store, Mac App Store, Developer ID, Ad Hoc, etc.).

Debugging Export Failures

It is VERY likely that step #10 will fail, saying the entitlements don't match. This occurs because the entitlements.plist file you used in #5 did not EXACTLY match the configuration of the profiles Xcode needs/expects. This happens because you either:

1. Didn't include "all" the necessary entitlements.

2. The entitlement configuration isn't exactly right.

You can debug these issues using two tools:

• The "Show Logs" button in the Xcode organizer will show you the detailed logs from Xcode. In my test, the issues were in "IDEDistribution.verbose.log", near the end of the log. Searching for "match" will get you to the entry, and replacing "\n" with a newline character will make the output readable. Add whatever entitlements are missing from this logging to correct #1 (I was missing several).

• You can use the instructions found here to view the signing configuration of your archived build. This will let you sort out issues like format types (I had several issues here as well).

Note that in both cases the solution will involve changing the entitlement.plist configuration used in #5 above, NOT the provisioning profile. Quoting myself:

"One thing to be aware of here is that Xcode has a "bias" in the way it presents codesign errors where it assumes the Entitlement.plist is "correct" and the profile is "wrong". However, in practice that's basically "never" the case with DriverKit entitlements and tends to lead to a lot of "flailing" trying to somehow "fix" the provisioning profile..."

In practice, that means changes to the provisioning profile should only be necessary if the entitlement was granted with an incorrect configuration, in which case you'd need to submit a new entitlement request to get that issue corrected.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware