Entitlements for app accessing USB devices

Hi,

I'm trying to sign/notarize a command line application packaged as .pkg which accesses USB devices through libusb.

When nothing is sign/notarized everything works like a charm and the command line tool can be started without elevated mode (sudo).

Once the binary, its libraries, and the .pkg are signed (hardened runtime set) and finally notarized/stappled with success I noticed that, once the .pkg is installed, the bin/libs are owned by root:wheel. Nobody else can execute it. Means sudo is required to execute the tool, which is obviously not what I need to distribute the software to end-users...

As far as I understand I must have to configure some entitlements when invoking the codesign command. Am I wrong?

If not, before struggling with them I need some advises about which one should I select ?

  • com.apple.security.app-sandbox ?
  • com.apple.security.device.usb ?
  • com.apple.vm.device-access (?)
  • others ?

Thanks by advance for your help.

Up vote post of Julien-D Down vote post of Julien-D
801 views
Posted by
Julien-D
Reply
Add a Comment

Accepted Reply

any advises are still welcomed about the entitlements

Going through your list…

com.apple.security.app-sandbox is meant for apps, not command-line tools. If you’re distributing a standalone command-line tool — keeping in mind that you can’t do this via the Mac App Store and thus you must use independent distribution with Developer ID signing — you can’t use this.

com.apple.security.device.usb is only relevant if you’re sandboxed, which you can’t be per the previous point.

com.apple.vm.device-access is a managed entitlement, meaning that you need approval from Apple to use it. The entitlement is intended to be used by hypervisor apps that ship in the Mac App Store, and so is irrelevant to your product.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

The issue was actually before invoking pkgbuild... files have not the expected permissions. Sorry for the noise.

BTW any advises are still welcomed about the entitlements which might be interesting or important to set.

Posted by
Julien-D
Up vote reply of Julien-D Down vote reply of Julien-D
Add a Comment

any advises are still welcomed about the entitlements

Going through your list…

com.apple.security.app-sandbox is meant for apps, not command-line tools. If you’re distributing a standalone command-line tool — keeping in mind that you can’t do this via the Mac App Store and thus you must use independent distribution with Developer ID signing — you can’t use this.

com.apple.security.device.usb is only relevant if you’re sandboxed, which you can’t be per the previous point.

com.apple.vm.device-access is a managed entitlement, meaning that you need approval from Apple to use it. The entitlement is intended to be used by hypervisor apps that ship in the Mac App Store, and so is irrelevant to your product.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment