CMIO Camera Extension Installation Error (Invalid code signature or missing entitlements)

Hi!

I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift):

func installDriver() {

    guard let extensionIdentifer = DriverInstaller.extensionBundle().bundleIdentifier else {
        return
    }
    
    let activationReq = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifer, queue: .main)

    activationReq.delegate = self
    
    OSSystemExtensionManager.shared.submitRequest(activationReq)

}

I'm getting an error:

OSSystemExtensionErrorDomain error 8: Code Signature Invalid which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out?

I'm posting here entitlements and codesign output for my extension and containing application for further information.

Executable=../Contents/Library/SystemExtensions/com..RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] 893K7MTL2H. com.. [Key] com.apple.security.device.camera [Value] [Bool] true

Executable=**********/Contents/MacOS/***** [Dict] [Key] com.apple.application-identifier [Value] [String] 893K7MTL2H.com..RoomDevice [Key] com.apple.developer.system-extension.install [Value] [Bool] true [Key] com.apple.developer.team-identifier [Value] [String] 893K7MTL2H [Key] com.apple.security.application-groups [Value] [Array] [String] 893K7MTL2H. com..********

Executable=***/Contents/MacOS/**** Identifier=com..RoomDevice Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=1345 flags=0x10000(runtime) hashes=31+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=3584714367d59119b462d0f830247d27ff1fbace CandidateCDHashFull sha256=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12 Hash choices=sha256 CMSDigest=3584714367d59119b462d0f830247d27ff1fbace53419d69abaa658fbb7a4f12 CMSDigestType=2 Launch Constraints: None CDHash=3584714367d59119b462d0f830247d27ff1fbace Signature size=4688 Authority=Developer ID Application: ****************(893K7MTL2H) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=01-Sep-2023 at 12:00:09 PM Info.plist entries=22 TeamIdentifier=893K7MTL2H Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=6 Internal requirements count=1 size=216

Executable=/Contents/Library/SystemExtensions/com.*****.RoomDevice.Extension.systemextension/Contents/MacOS/com..RoomDevice.Extension Identifier=com.******.RoomDevice.Extension Format=bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=3627 flags=0x10000(runtime) hashes=102+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=70580825016b7e262fb15c280ba380ad4e871bc1 CandidateCDHashFull sha256=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f Hash choices=sha256 CMSDigest=70580825016b7e262fb15c280ba380ad4e871bc108951adb8cd474d652567f4f CMSDigestType=2 Launch Constraints: None CDHash=70580825016b7e262fb15c280ba380ad4e871bc1 Signature size=4688 Authority=Developer ID Application: ************ Ltd. (893K7MTL2H) Authority=Developer ID Certification Authority Authority=Apple Root CA Signed Time=01-Sep-2023 at 12:00:05 PM Info.plist entries=22 TeamIdentifier=893K7MTL2H Runtime Version=13.3.0 Sealed Resources version=2 rules=13 files=0 Internal requirements count=1 size=224

Please anyone help. Thanks in advance!

Up vote post of Amallik Down vote post of Amallik
944 views
Posted by
Amallik
Reply
Add a Comment

Replies

which is rather generic.

Most errors like this an accompanied by more details in the system log. See Your Friend the System Log for details on how to look at that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi @eskimo , By checking system log , I am getting below mentioned error:-

<private>: request failed: Error Domain=OSSystemExtensionErrorDomain Code=8 UserInfo={NSLocalizedDescription=<private>}

Posted by
Amallik
Up vote reply of Amallik Down vote reply of Amallik
Add a Comment

Right. That’s exactly the error that’s being reported to you by the framework. My suggestion is that you look backward in the log for a more specific error being logged by the underlying infrastructure.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi, @eskimo Thanks for your reply.

But in Systemlog I have not gotten any other error.

Now I am facing another issue, when going for notrization getting below mentioned error.

"The signature does not include a secure timestamp."

Can you please help in resolving this issue.

Posted by
Amallik
Up vote reply of Amallik Down vote reply of Amallik
Add a Comment

Developer ID code must be signed with a secure timestamp [1]. It looks like yours isn’t, and hence the problem.

This is kinda weird because modern versions of codesign are aware of this requirement and always include a secure timestamp when signing with a Developer ID [2].

Regardless, the fix is simple: Add the --timestamp option to your code signing command.

For general advice as to how to signing a product outside of Xcode, see:

IMPORTANT I’m assuming that you’re manually signing your code because Xcode generally does the right thing here. If, however, you’re building with Xcode, we should investigate why Xcode isn’t signing your code correctly in the first place.

I have a suspicion that you’re using your Developer ID for day-to-day work. I recommend against that. Rather, use Apple Development for this sort of thing and reserve Developer ID for when you’re actually shipping code. See The Care and Feeding of Developer ID for more.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] This timestamp confirms that the signing identity was valid at the time of signing, which is critical aspect of Developer ID signing because it allows the system to continue trusting your app after your Developer ID signing certificate has expired.

[2] Consider this:

% cp /usr/bin/true true-AppleDev
% cp /usr/bin/true true-DevID   
% codesign -s "Apple Development" -f true-AppleDev
true-AppleDev: replacing existing signature
% codesign -s "Developer ID Application" -f true-DevID
true-DevID: replacing existing signature
% codesign -d -v true-AppleDev 
…
Signed Time=11 Sep 2023 at 10:34:36
…
% codesign -d -v true-DevID   
Executable=/Users/quinn/Test/true-DevID
…
Timestamp=11 Sep 2023 at 10:34:51
…

Re-signing the true tool with an Apple Development signing identity yields just a Signed Time property, which is the insecure timestamp. In contrast, re-signing with with a Developer ID yields a secure timestamp, Timestamp.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi @eskimo Thanks for your quick reply.

I have one correction, I am signing my CameraExtension and app from Xcode using Developer ID not manually. After building an app, we are notrazing using the command.

Posted by
Amallik
Up vote reply of Amallik Down vote reply of Amallik
Add a Comment

I am signing my CameraExtension and app from Xcode using Developer ID not manually.

Cool. That certainly makes life easier. It doesn’t change my advice though: Use Apple Development for day-to-day development.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi @eskimo , Thanks for your help.

No, I am getting no error when the notarization process by just adding the "--timestamp" flag in the OTHER_CODE_SIGN_FLAGS value in the build setting.

My Notrazation is a success.

Now I am able to launch the App by developer ID Certificate, but now the problem is that:-

"My System Extension is of zero-byte at path /Library/SystemExtension "

All processes working fine but the extension is not loaded in the system due to zero-byte size.

Steps:-

  1. Launch my host App.
  2. System blocked pop-up shown.
  3. I allowed an extension from privacy.
  4. The OSSytemExtension manager gave me a message in a delegate that "my driver is activated".

But CameraExtension not showing in the Quicktime player list as a virtual Camera.

Can you Please help

Posted by
Amallik
Up vote reply of Amallik Down vote reply of Amallik
Add a Comment

No, I am getting no error when the notarization process by just adding the "--timestamp" flag in the OTHER_CODE_SIGN_FLAGS value in the build setting.

That shouldn’t be necessary. Xcode’s organiser workflows should do the right things when you upload or export with Developer ID signing.

As to this:

"My System Extension is of zero-byte"

I’ve no idea. I’ve done this sort of thing a bazillion times before [1] and never encounter anything like that. At this point I’m going to recommend that you open a DTS tech support incident so that I, or more likely my colleague who supports CMIO, can help you out one-on-one.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] With NE sysexes, not CMIO, but the install process is the same.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment