Thanks for being a part of WWDC25!

How did we do? We’d love to know your thoughts on this year’s conference. Take the survey here

macOS 11.x system reported an error when using endpoint security

Code Signing Entitlements
guang_he
guang_he OP
Created Apr ’25
Replies 3
Boosts 0
Views 79
Participants 2

This is .entitlements file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.endpoint-security.client</key>
    <true/>
</dict>
</plist>

Code signing:

codesign --sign -vvv --timestamp --options=runtime --force --entitlements ./UES.entitlements  -s "Developer ID Application: XXXX Ltd. (XXXXXX)" ./UES.app

When I run it on macOS 13.x, it works fine. If I run the system on macOS 11.x, it reports a "killed" error (if codesign remove --entitlements ./UES.entitlements, Then the startup will not report an error, but the endpoint security rights cannot be used)

System log:

2025-04-21 13:58:27.039638+0800 0xd5941    Default     0x0                  149    0    amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050
2025-04-21 13:58:27.039762+0800 0xd5bbf    Default     0x0                  0      0    kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES:
2025-04-21 13:58:27.039815+0800 0xd5bbf    Default     0x0                  0      0    kernel: proc 29354: load code signature error 4 for file "UES"
2025-04-21 13:58:27.040720+0800 0xd5bc0    Default     0x0                  0      0    kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29354, /Applications/UES.app/Contents/MacOS/UES
2025-04-21 13:58:27.045974+0800 0xd58be    Error       0x0                  66405  0    CoreServicesUIAgent: [com.apple.launchservices:uiagent] handle LS launch error: {\n    Action = oapp;\n    AppMimimumSystemVersion = "10.13";\n    AppPath = "/Applications/UES.app";\n    ErrorCode = "-10826";\n}
2025-04-21 13:58:39.121619+0800 0xd5941    Default     0x0                  149    0    amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050
2025-04-21 13:58:39.121832+0800 0xd5e0f    Default     0x0                  0      0    kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES:
2025-04-21 13:58:39.121861+0800 0xd5e0f    Default     0x0                  0      0    kernel: proc 29415: load code signature error 4 for file "UES"
2025-04-21 13:58:39.122571+0800 0xd5e10    Default     0x0                  0      0    kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29415, /Applications/UES.app/Contents/MacOS/UES
2025-04-21 13:58:46.297915+0800 0xd5941    Default     0x0                  149    0    amfid: /Applications/UES.app/Contents/MacOS/UES signature not valid: -67050
2025-04-21 13:58:46.298031+0800 0xd5f85    Default     0x0                  0      0    kernel: mac_vnode_check_signature: /Applications/UES.app/Contents/MacOS/UES: code signature validation failed fatally: When validating /Applications/UES.app/Contents/MacOS/UES:
2025-04-21 13:58:46.298072+0800 0xd5f85    Default     0x0                  0      0    kernel: proc 29485: load code signature error 4 for file "UES"
2025-04-21 13:58:46.300248+0800 0xd5f86    Default     0x0                  0      0    kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 29485, /Applications/UES.app/Contents/MacOS/UES

May I ask what the reason is?

Answered by DTS Engineer in 837148022
This is .entitlements file:

Yeah, that’s a problem.

To understand what’s going on here, you need to understand that:

  • com.apple.developer.endpoint-security.client is a restricted entitlement.

  • Meaning that its use must be authorised by a provisioning profile.

See TN3125 Inside Code Signing: Provisioning Profiles for a lot more background on that.

For this to work, the system must be able to tie your code to your profile. It does this via the App ID entitlement [1]. You’re not including that in your entitlements and thus the system fails to associate your profile with your code, which prevents it from authorising the use of your entitlement.

Now, this works on macOS 12 and later because it added a special case to assume that a profile embedded in an app bundle is appropriate for that app. However, that’s not something you should rely on [2]. Rather, when signing with a restricted entitlement, always include the App ID and Team ID entitlements.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] application-identifier on iOS and its child platforms; com.apple.application-identifier on macOS.

[2] For example, apps distributed via TestFlight can run into the problem discussed in TestFlight, Provisioning Profiles, and the Mac App Store.

Replies  3
Boosts  0
Views  79
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Apr ’25
Accepted Answer
Recommended
This is .entitlements file:

Yeah, that’s a problem.

To understand what’s going on here, you need to understand that:

  • com.apple.developer.endpoint-security.client is a restricted entitlement.

  • Meaning that its use must be authorised by a provisioning profile.

See TN3125 Inside Code Signing: Provisioning Profiles for a lot more background on that.

For this to work, the system must be able to tie your code to your profile. It does this via the App ID entitlement [1]. You’re not including that in your entitlements and thus the system fails to associate your profile with your code, which prevents it from authorising the use of your entitlement.

Now, this works on macOS 12 and later because it added a special case to assume that a profile embedded in an app bundle is appropriate for that app. However, that’s not something you should rely on [2]. Rather, when signing with a restricted entitlement, always include the App ID and Team ID entitlements.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] application-identifier on iOS and its child platforms; com.apple.application-identifier on macOS.

[2] For example, apps distributed via TestFlight can run into the problem discussed in TestFlight, Provisioning Profiles, and the Mac App Store.

1
guang_he
guang_he OP
Apr ’25

Thank you. This is the directory structure of my App

.
└── Contents
    ├── Frameworks
    ├── Info.plist
    ├── MacOS
    │   ├── UES
    ├── Resources
    │   ├── UES.icns
    ├── _CodeSignature
    │   └── CodeResources
    └── embedded.provisionprofile

This sentence "always include the App ID and Team ID entitlements", I don 't quite understand. I haven't been learning macOS for long. May I ask what I should do? ^_^

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
Apr ’25

Yeah, this stuff is complex )-: Let me clarify this by example.

My go-to suggestion for setting this up is to do what Xcode does. In fact, we have that in the official documentation, namely Signing a daemon with a restricted entitlement.

If you follow that process and build the test project with Xcode, you see this:

% codesign -d --entitlements - Test782415.app
…
[Dict]
	[Key] com.apple.application-identifier
	[Value]
		[String] SKMME9E2Y8.com.example.apple-samplecode.Test782415
	[Key] com.apple.developer.endpoint-security.client
	[Value]
		[Bool] true
	[Key] com.apple.developer.team-identifier
	[Value]
		[String] SKMME9E2Y8
	[Key] com.apple.security.get-task-allow
	[Value]
		[Bool] true
% security cms -D -i Test782415.app/Contents/embedded.provisionprofile | plutil -p -
{
  …
  "Entitlements" => {
    "com.apple.application-identifier" => "SKMME9E2Y8.com.example.apple-samplecode.Test782415"
    "com.apple.developer.endpoint-security.client" => 1
    "com.apple.developer.team-identifier" => "SKMME9E2Y8"
    "keychain-access-groups" => [
      0 => "SKMME9E2Y8.*"
    ]
  }
  …
}

Note how the ‘app’ is signed with the com.apple.application-identifier entitlement, and its value matches the value in the provisioning profile’s allowlist. This is what you’re aiming for.

Oh, and the Team ID (com.apple.developer.team-identifier) as well, just for completeness.

Now, this doesn’t mean that you need to build your product with Xcode. You are free to build your product with your existing build system. However, the final result should look like that shown above, that is:

  • Your daemon is in an app-like wrapper.

  • That wrapper has an embedded provisioning profile.

  • And the daemon is signed with the entitlements it needs (in this case com.apple.developer.endpoint-security.client) and the standard entitlements that link it to its profile (com.apple.application-identifier and com.apple.developer.team-identifier).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
macOS 11.x system reported an error when using endpoint security
First post date Last post date
 
 
Q