Codesign does not set correct entitlements

Question

My project consists of main application, an endpoint security extension and a findersync extension. When I try to build it in release mode, the findersync extension is getting built with entitlements of the main app and not one of its own. I am not seeing this issue for endpoint security. I am signing using a "Developer ID Application" signing identity.

When I look into the build logs I am seeing that --entitlement is used in code sign and the file which is passed as the argument also has the correct entitlement. When I tried manually running the codesign command with the --entitlement flag, I am still unable to get the correct entitlement.

Is there any difference in the way the codesign happens for the system extension and findersync? What changes do I need to make in order to get the correct entitlement?

Answer 1

• Are you sure the binary isn't already signed before you run codesign? It will silently avoid doing any work by default if the binary is already signed.
• Are you using an appropriate provisioning profile? Endpoint Security entitlements require a corresponding profile generated by Apple's systems.

If none of the above solves the problem, please edit your question to include more detail. The content of the entitlements file, your codesign command line, the output of the command you are using to verify the entitlements, etc. And: What exactly do you mean by

I am still unable to get the correct entitlement.