Code Signing

[mischievous]

How do I get the entitlement to get the application code signed?

[mischievous]

I have made some progress, one step forward two steps back.

I rebuilt the project using this as an example. I was able to set "Code Signing Identity" to "Sign to run locally". Which let me get past xcode.

Not when I run it from the console as root, or doubling clicking on the application. The application starts. It attempts to activate the dext and I get this error message "Invalid code signature or missing entitlements".

My SIP is disable too.
demon:Contents alexandra$ csrutil status System Integrity Protection status: disabled.

It feels like Apple is going backward to the 80's and 90's. Where they had the OS so locked down no one could do anything and developers left in droves.

If I can't get my code developed and tested with out paying apple money, why continue to be frustrated with my computer.

Perhaps its time to move to linux.

[Weinbery]

Hi @mischievous ,I got the same problem, Have you solved the problem?

[Belcarra]

I have a forked version here: https://github.com/stuartlynne/USBApp-updated

It should work when the project is built from the command line, SIP disabled. I think without entitlements.

You will need to modify the codesign.sh script with your signing identity (use security find-identity).

[jzlka]

You try these commands:

# Disable SIP
# Clone the repo
git clone https://github.com/knightsc/USBApp/
# Delete entitlements file from the project settings
sed -i ’’ ’s/CODE_SIGN_ENTITLEMENTS = .*/CODE_SIGN_ENTITLEMENTS = "";/’ USBApp/USBApp.xcodeproj/project.pbxproj
# Fix the development team in the build settings and change the certificate to "run locally"
# Change Derived Data location in the project settings to project-relative
# Build the project
# Sign the bundle and the sysx from terminal
codesign --force -vvvv --entitlements USBApp/USBApp/USBApp.entitlements -s - USBApp.app
codesign --force -vvvv --entitlements USBApp/MyUserUSBInterfaceDriver/MyUserUSBInterfaceDriver.entitlements -s - USBApp.app/Contents/Library/SystemExtensions/sc.knight.MyUserUSBInterfaceDriver.dext

[mischievous]

@Weinbery nope. I manage our companies enterprise license so I wasted a question asking Apples for help... Apples response was it was only possible in the beta version, and that once you are out of the beta version that introduced the dext its no longer possible. I also requested an entitlement from Apple that was denied....

Now, before I bang my head and get annoyed again... Are @Belcarra and/or @TheKuko running a beta version of the mac os (osx, am I the only one that dislikes the name macos?) ?

[jzlka]

@Weinbery nope, I'm running 10.15.4. The main steps to build the project are:

1. delete entitlement file in the projects settings
2. set ad-hoc certificate (or your Mac developer certificate) and personal team (or if it is possible no-team, I do not remember it)

After these two steps you should be able to comfortably build the project using Xcode. Then, in order to run/load it, it has to be signed with correct entitlements (last two commands from my previous comment). With SIP disabled, the system sees that the project has correct entitlements and is signed. It does not check if those entitlements are officially assigned to the account by Apple or not - thus you are able to run the code (moreover, it has to be in /Applications folder so OS doesn't kill it).

When you check Console logs it complains about invalid signature but it loads the code and matches to specified USB drive. The logs are handy because you can see kextd and sysextd error messages.

[Belcarra]

I am using 10.15.4 for both development system and test system.

On Tue, Jun 16, 2020 at 6:23 AM Jozef Zuzelka notifications@github.com wrote:

@Weinbery https://github.com/Weinbery nope, I'm running 10.15.4. The main steps to build the project are:

1. delete entitlement file in the projects settings
2. set ad-hoc certificate (or your Mac developer certificate) and personal team (or if it is possible no-team, I do not remember it)

After these two steps you should be able to comfortably build it using Xcode. Then, in order to run/load it, it has to be signed with correct entitlements (last two commands from my previous comment). With SIP disabled, the system sees that the project has correct entitlements and is signed. It does not check if those entitlements are officially assigned to the account by Apple or not - thus you are able to run the code (but it has to be in /Applications folder so OS does not kill it).

When you check Console logs it complains about invalid signature but it loads the code and matches to specified USB drive. The logs are handy because you can see kextd and sysextd error messages.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/knightsc/USBApp/issues/1#issuecomment-644761985, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALJH5GCY24A5SPOILCQYNDRW5W6BANCNFSM4I746ZQQ .

-- Belcarra Embedded USB Software Stuart_Lynne sl@belcarra.com 604-461-7532 Alternates: 604-283-7475 and 604-518-1749(cell) http://usblan.belcarra.com http://www.belcarra.com

[gokily]

I am not sure it is related to this but I have an issue with user approval. I can run this app and the updated one, get the dialog but when I click on the activate button I do not get the user approval popup. I get error "The operation couldn't be completed. (OSSystemExtensionErrorDomain error 8.)

Have you guys encountered this error?

[gokily]

I resolved my issue by using another Developer ID

[khampton353]

Has anyone been successful getting the code to match and run a USB device? As far as I can tell the transport.usb entitlement is wrong. It should be an array of dictionaries not a boolean.

[Belcarra]

Yes. I think my fork works. YMMV. https://github.com/stuartlynne/USBApp-updated

Also I have my own test code that has the entitlements set up the same way.

N.B. I am testing with SIP (System Integrity Protection) disabled.

On Wed, Jun 24, 2020 at 2:40 PM khampton353 notifications@github.com wrote:

Has anyone been successful getting the code to match and run a USB device? As far as I can tell the transport.usb entitlement is wrong. It should be an array of dictionaries not a boolean.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/knightsc/USBApp/issues/1#issuecomment-649087934, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALJH5GB2SYKMKQTN2BG36TRYJXGJANCNFSM4I746ZQQ .

-- Belcarra Embedded USB Software Stuart_Lynne sl@belcarra.com 604-461-7532 Alternates: 604-283-7475 and 604-518-1749(cell) http://usblan.belcarra.com http://www.belcarra.com

[jzlka]

You can also use this script to build the code. I can see the extension is loaded using systemextensionsctl list command and I also can see its running process, and that it is enabled in sysextd logs. But, I do not see its debug messages anywhere in the system even if I add new ones using IOLog.

Although I see the driver's running process and the loaded extension, I cannot confirm it matches against the USB even though the device does not mount. I think there is some race with virtual machine drivers or something because sometimes the device is not added to the I/O Registry at all and sometimes is not mounted even if I deactivate Scott's driver.

[khampton353]

@Belcarra are you also testing with a Sandisk Cruzer? I don't have one and can't seem to get what I do have to match.

Can you reconcile the example using a boolean entitlement with this: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_driverkit_transport_usb?language=objc Type Array of dictionaries

I can get my dext to activate with no errors. But it doesn't start because there is not a device match.

@TheKuko 'systemextensionsctl developer on' will eliminate the problem of having to copy the application to run it.

[Belcarra]

I use a Raspberry Pi 4 setup so I can test with any configuration I need for the Gadget USB.

You can also look at this https://github.com/pqrs-org/Karabiner-DriverKit-VirtualHIDDevice for another DriverKit project that builds and loads, although not with USB.

On Wed, Jun 24, 2020 at 4:36 PM khampton353 notifications@github.com wrote:

@Belcarra https://github.com/Belcarra are you also testing with a Sandisk Cruzer? I don't have one and can't seem to get what I do have to match.

Can you reconcile the example using a boolean entitlement with this: https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_driverkit_transport_usb?language=objc Type Array of dictionaries

I can get my dext to activate with no errors. But it doesn't start because there is not a device match.

@TheKuko https://github.com/TheKuko 'systemextensionsctl developer on' will eliminate the problem of having to copy the application to run it.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/knightsc/USBApp/issues/1#issuecomment-649128618, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALJH5ADITKAHN2ZKTHHWPDRYKEXDANCNFSM4I746ZQQ .

-- Belcarra Embedded USB Software Stuart_Lynne sl@belcarra.com 604-461-7532 Alternates: 604-283-7475 and 604-518-1749(cell) http://usblan.belcarra.com http://www.belcarra.com

[jzlka]

It would not be for the first time the documantation was wrong :P. Check for example /System/Library/DriverExtensions/AppleUserHIDDrivers.dext it has IOKitPersonalities dictionary with device IDs.

And you are right, you can see the dictionary in the entitlements file using codesign -d --ent :- -vvvv /System/Library/DriverExtensions/AppleUserHIDDrivers.dext command. Hard to believe I did not notice it when I was checking Apple driver's entitlements before. However, I'm not sure if it is required, the documentation is not very clear about what keys are mandatory. It says "During its search for drivers, the system uses information from the IOKitPersonalities key of each driver’s Info.plist file to identify potential matches." ... CFBundleIdentifier, IOClass, IOUserClass, IOUserServerName, IOProviderClass ... "In addition to the minimum set of keys, include additional keys in the personality dictionary that are specific to your IOService subclasses. ". In case of IOUserHIDEventService, both VendorID and ProductID are voluntary (which, I guess, is an equivalent to IOKit's wildcard?). PCI drivers use an array as well and its documentation says "You also use the keys defined by this entitlement in your app’s Info.plist, to identify which devices your driver loads on.". Maybe yesterday's WWDC presentation about PCI drivers will help?

@Belcarra can you confirm you driver is matched and works? Do you see any logs or something?

[Belcarra]

Yes, I can get loaded and see messages in the log file.

In my experience, the system is not reliable for loading, unloading, etc. So I remove the app, extensions and reboot between each test, and ensure that the device is not plugged in when the extension is activated (and allowed after unlocking in Security pane of system preferences). Even then about 1 in 4 or 5 tests the match fails. This is of course a lot better if you have two Macs, one for development and one for testing.

!/bin/bash

rm -rf /Applications/top-musblan.app /Applications/USBApp.app

This appears to do the same as:

systemextensionsctl reset

echo 'ROOTPASSWD' | sudo -S rm -rf /Library/DriverExtensions/ /Library/SystemExtensions/ /Library/SystemExtensions/.staging echo 'ROOTPASSWD' | sudo -S reboot

I use a python package for Raspbian that I wrote (pip3 install gadgetconfig), it simplifies setting up Gadget and allows for soft-disconnect and soft-connect (via ssh) so I can manage the replug without physically changing it.

On Wed, Jun 24, 2020 at 5:15 PM Jozef Zuzelka notifications@github.com wrote:

It would not be for the first time the documantation was wrong :P. Check for example /System/Library/DriverExtensions/AppleUserHIDDrivers.dext it has IOKitPersonalities dictionary with device IDs.

And you are right, you can see the dictionary in the entitlements file using codesign -d --ent :- -vvvv /System/Library/DriverExtensions/AppleUserHIDDrivers.dext command. Hard to believe I did not notice it when I was checking Apple driver's entitlements before. However, I'm not sure if it is required, the documentation is not very clear about what keys are mandatory. It says https://developer.apple.com/documentation/driverkit/creating_a_driver_using_the_driverkit_sdk?language=objc "During its search for drivers, the system uses information from the IOKitPersonalities key of each driver’s Info.plist file to identify potential matches." ... CFBundleIdentifier, IOClass, IOUserClass, IOUserServerName, IOProviderClass ... "In addition to the minimum set of keys, include additional keys in the personality dictionary that are specific to your IOService subclasses. ". In case of IOUserHIDEventService https://developer.apple.com/documentation/hiddriverkit/iouserhideventservice?language=objc, both VendorID and ProductID are voluntary (which, I guess, is an equivalent to IOKit's wildcard?). PCI drivers https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_driverkit use an array as well and its documentation says "You also use the keys defined by this entitlement in your app’s Info.plist, to identify which devices your driver loads on.". Maybe yesterday's WWDC presentation about PCI drivers will help?

@Belcarra https://github.com/Belcarra can you confirm you driver is matched and works? Do you see any logs or something?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/knightsc/USBApp/issues/1#issuecomment-649139939, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALJH5D3GQ7H5FUO6JEVS5DRYKJJNANCNFSM4I746ZQQ .

-- Belcarra Embedded USB Software Stuart_Lynne sl@belcarra.com 604-461-7532 Alternates: 604-283-7475 and 604-518-1749(cell) http://usblan.belcarra.com http://www.belcarra.com

[Belcarra]

I'm still trying to understand the other Info.plist requirements, but I think the matching for USB is the same as before.

This is a good summary of how USB matching works for Mac OS.

http://mirror.informatimago.com/next/developer.apple.com/qa/qa2001/qa1076.html

On Wed, Jun 24, 2020 at 5:15 PM Jozef Zuzelka notifications@github.com wrote:

It would not be for the first time the documantation was wrong :P. Check for example /System/Library/DriverExtensions/AppleUserHIDDrivers.dext it has IOKitPersonalities dictionary with device IDs.

And you are right, you can see the dictionary in the entitlements file using codesign -d --ent :- -vvvv /System/Library/DriverExtensions/AppleUserHIDDrivers.dext command. Hard to believe I did not notice it when I was checking Apple driver's entitlements before. However, I'm not sure if it is required, the documentation is not very clear about what keys are mandatory. It says https://developer.apple.com/documentation/driverkit/creating_a_driver_using_the_driverkit_sdk?language=objc "During its search for drivers, the system uses information from the IOKitPersonalities key of each driver’s Info.plist file to identify potential matches." ... CFBundleIdentifier, IOClass, IOUserClass, IOUserServerName, IOProviderClass ... "In addition to the minimum set of keys, include additional keys in the personality dictionary that are specific to your IOService subclasses. ". In case of IOUserHIDEventService https://developer.apple.com/documentation/hiddriverkit/iouserhideventservice?language=objc, both VendorID and ProductID are voluntary (which, I guess, is an equivalent to IOKit's wildcard?). PCI drivers https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_driverkit use an array as well and its documentation says "You also use the keys defined by this entitlement in your app’s Info.plist, to identify which devices your driver loads on.". Maybe yesterday's WWDC presentation about PCI drivers will help?

@Belcarra https://github.com/Belcarra can you confirm you driver is matched and works? Do you see any logs or something?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/knightsc/USBApp/issues/1#issuecomment-649139939, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALJH5D3GQ7H5FUO6JEVS5DRYKJJNANCNFSM4I746ZQQ .

-- Belcarra Embedded USB Software Stuart_Lynne sl@belcarra.com 604-461-7532 Alternates: 604-283-7475 and 604-518-1749(cell) http://usblan.belcarra.com http://www.belcarra.com

[jdv85]

Has anyone been successful getting the code to match and run a USB device? As far as I can tell the transport.usb entitlement is wrong. It should be an array of dictionaries not a boolean.

This thread on StackOverflow might be useful: https://stackoverflow.com/questions/61634176/how-to-set-com-apple-developer-driverkit-transport-usb-entitlement.

[jquirke]

I have found the entitlement for com.apple.developer.driverkit.transport.usb is problematic as of 12.6, I have even found (despite internet advice) that the idProduct may be required as well

`<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

com.apple.developer.driverkit com.apple.developer.driverkit.transport.usb idVendor xxxx idProduct yyyy ` that being said, I still cannot get it to match all of the time.