Qualcomm announced the new BrewMP OS. In earlier versions I downloaded signature files
to run the app in device through App Loader. Is the signature file needed for BrewMP devices?
Can I check the app without signature files (downloading though ESN number)?
Yes, just like in BREW, you need a signature file to run a BrewMP application.
For a developer, there are two main types of signatures. A Test Enable signature ("test sig") is issued for a specific device for a limited time period, and enables the particular device to execute any application.
When the developer has finalized the app, the commercial code signature is issued. This sig will allow execution of the application on any BrewMP device that has the corresponding root signature installed.
More information about Code authorisation on BrewMP.
Related
I want to build a macOS app that filters specific network requests so I need to add the NetworkExtensions capability. But after I add a NetworkExtensions capability, I get the following message:
Your development team, "Potato Dev2", does not support the Network Extensions capability.
Image of where the above message is from: https://i.stack.imgur.com/H46gE.png
From Apple's documentation on "Adding Capabilities to Your App":
The platform, and whether you're a member of the Apple Developer Program, may limit the capabilities available to your app
The documentation doesn't explicitly say which capabilities require being a part of the Apple Developer Program. I also don't see why I'd need to be a part of the Apple Developer Program to write software on and for my own computer. Note that, at least to my knowledge, the NetworkExtensions capability does not depend on any service from Apple (as opposed to HealthKit or Game Center).
So is there a way to add a Network Extensions capability to a macOS app without joining the Apple Developer Program?
You should be able to do it if you disable system integrity protection (SIP) on your Mac (csrutil disable in the Terminal in the macOS Recovery Environment), and disable amfid's entitlements check by adding amfi_get_out_of_my_way=1 to the kernel's command line arguments. (Again in the recovery environment, nvram boot-args='amfi_get_out_of_my_way=1')
You will need to bypass Xcode when code signing and use the codesign command directly because Xcode performs the provisioning profile entitlements check, as you noticed. codesign itself does not perform this check.
This works for basically allowing just about anything to do with DriverKit system extensions, so I'd expect it to work with Network System Extensions as well.
I figured out the answer to my question: to write macOS software that uses the NetworkExtension APIs, you must be a member of the Apple Developer Program ($100/year). See https://developer.apple.com/support/app-capabilities/ for details.
How to run un-signed System Extensions in OSX catalina?
I'm trying to load SimpleFirewall which is a system extension given by apple, ment to demonstrate packet filtering capabilities.
The project compiles, but I get this error during run:
OSSystemExtensionErrorDomain error 8
Looked it up, it means -
Invalid code signature or missing entitlements
I have SIP disabled, and turned off code signing in the xcode project.. what else can I do to have this run? I dont have a developer ID.. just testing the code..
As per Eskimo answer on Apple Developer Forums you might additionally to
disabling SIP and
enabling SYSX developer mode (systemextensionsctl developer on)
need to disable AMFI:
nvram boot-args="amfi_get_out_of_my_way=0x1”
This has to be done in the cmd from the Recovery Mode.
AFAIK you only need to do it, if you don't have a developer provisioning profile with com.apple.developer.endpoint-security.client entitlement.
Apple's Documentation on 'Debugging and Testing System Extensions' has some information on this subject.
In theory, disabling SIP should take care of the signing requirements. You may still need to sign the extension with a free Mac Developer certificate so that the entitlements can be embedded.
Are you trying to use the extension from outside an app? If so, the command
systemextensionsctl developer on
Should help.
I have a same issue with #tuti.
I am testing a hello world System Extension base on Driver Kit. I am using free developer account, Mac mini Catatila, Xcode 11 to development.
In my Xcode, I setting to don't sign my code for both application and system extension. I am also disable SIP and run command "systemextensionsctl developer on".
But when I load my system extension from Swift application, it still show me the log "The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 8.)". When I look up the error 8, it means invalid signature. But in my computer, I can load an unsigned Kernel extension normally.
So, I don't know why? I think the OS still check code signing for system extension regardless I disable SIP.
I'm using a Cypress FX3 controller over USB 3 and I've had success with it on Windows 7 by modifying Cypress's driver .inf file to identify my device and then signing the driver package. Unfortunately, this method doesn't meet the more stringent signing requirements for drivers in Windows 10 [1].
I downloaded Windows' new WDK 10 and have been trying to go through the process of signing the driver with this new tool, but it doesn't seem to want to sign a pre-built DLL. Rather, it expects me to have source code files I can build into my own DLL, but I can't exactly expect Cypress to hand over their source code.
Does anyone know if signing an existing driver DLL is supported in WDK 10 or if that functionality has been removed to close a security loophole? Do I simply have to wait for Cypress to publish a driver compatible with Windows 10 v1607+?
For anyone wondering, I have already disabled secure boot and the driver signing verification on my machine for testing. The version 1.2.3 drivers from Cypress work with my device on Windows 10 except for the driver signing issue - but I would prefer if I didn't have to ask customers to disable secure boot in order to install the drivers for my device.
Thanks in advance,
Sheldon
[1] https://blogs.msdn.microsoft.com/windows_hardware_certification/2016/07/26/driver-signing-changes-in-windows-10-version-1607/
You can use SignTool to directly sign a DLL without needing to compile anything. I have never heard of a signed DLL being necessary in a driver, though. I wrote a big article about this stuff that might find helpful.
At our company the process we execute normally is:
fix/implement
test ad-hoc version
create AppStore package
test that AppStore package by installing it directly through iTunes.
submit version to AppStore.
The reason why we need to test also the AppStore version is because some payment services wouldn't work if we didn't. So we need a real environment.
Previously to the inclusion of the iOS App Extension (sharing) we could do this process without issues, but now after doing the same process we can't do it anymore.
We can;
test the ad-hoc version by signing the app extension as ad-hoc.
create and submit the app store package.
However we can't install the app store version anymore, the error mentions that there are issues with the signature, more precisely:
(Entitlements found that are not permitted by provisioning profile)
Does anyone have any idea why this could be happening?.
You really shouldn't be able to install the app store version on a physical device and run it.
It can work in certain scenarios (like if you had previously installed development builds on there and there was a valid development build on the device when you try to run the app store build). Maybe the device has the old app provisioning profile (which would not have the app extensions entitlement). The new one that is embedded with the app (and has the appropriate entitlements) is an App Store provisioning profile and is not valid for running directly on the device.
I would make a new build config in your project that is a copy of the Release config, except for only the code signing settings. That would allow you to run a build that will be exactly the production App Store build, except for the code signing settings.
We are developing an application for our client and he wanted us to build App so he can publish the app over the Mac App store,
As of now we don't have Mac Developer Id, and we have received App Id from the client,
My question is, is it possible to make build only using App Id ?
I guess with App ID you mean something like "com.company.product".
Getting an Application for OS X to the App store is not an easy task (compared to iPhone/iPad).
To sign the App you need the public/private Key pair and a couple of certificates from your client.
The convenient way to upload the app to apple is done using Xcode.
Does the client use Xcode? If your client uses Xcode, then your client can do all the signing stuff. Then your client needs just the source code.
If your client needs a signed binary, then it's not obvious HOW he gets the app to the Appstore. There is a tool which can be used to upload the binary: "Application Loader.app"
(Here is a similar SO question which describes the toolchain: How to submit an iOS app WITHOUT XCode?)
If you need to deliver your results to your client as a signed bundle then you need all Certificates from the client. Your code must have all entitlements set. Uploading this code without testing your entitlements on your local machine is like driving a car blindfolded.
However: If you need to deliver a signed binary to your client, then you need all certificates.
If you will distribute the code to the client, it's not a problem delivering an unsigned binary to the client. Apps can be executed without code signing. Even without an valid AppID your code may be executed.
If your client has knowledge about Mac development, this should be no problem. If your client't doesn't know anything about Mac development, you should get access to his Mac-Developer account and do it for him.
Conclusion: The AppID is just a string to identify the app. If your client does the code signing stuff and uploading to Apple by himself using Xcode, then you need nothing else.
If you should use iCloud or App-Sandboxing (Entitlements) then you NEED certificates from your client.