I have a macOS application with an embedded launch daemon that exposes an XPC service. The launch daemon successfully registers with launchd using the ServiceManagement API:
% launchctl print system/com.nsnolan.LockerRoomDaemon
system/com.nsnolan.LockerRoomDaemon = {
active count = 0
path = (submitted by smd.303)
type = Submitted
state = spawn scheduled
program identifier = Contents/MacOS/LockerRoomDaemon (mode: 2)
parent bundle identifier = com.nsnolan.LockerRoom
parent bundle version = 1
BTM uuid = <redacted>
default environment = {
PATH => /usr/bin:/bin:/usr/sbin:/sbin
}
environment = {
XPC_SERVICE_NAME => com.nsnolan.LockerRoomDaemon
}
domain = system
minimum runtime = 10
exit timeout = 5
runs = 83
last exit code = 78: EX_CONFIG
endpoints = {
"com.nsnolan.LockerRoomDaemon" = {
port = 0xfaaab
active = 0
managed = 1
reset = 0
hide = 0
watching = 0
}
}
spawn type = interactive (4)
jetsam priority = 40
jetsam memory limit (active) = (unlimited)
jetsam memory limit (inactive) = (unlimited)
jetsamproperties category = daemon
submitted job. ignore execute allowed
jetsam thread limit = 32
cpumon = default
job state = spawn failed
probabilistic guard malloc policy = {
activation rate = 1/1000
sample rate = 1/0
}
properties = partial import | supports transactions | resolve program | needs LWCR update | has LWCR
}
I have signed both the application and launch daemon with a the same developer certificate with the same (but redacted) team identifier:
% codesign -d --verbose=4 /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app
Executable=/User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoom
Identifier=com.nsnolan.LockerRoom
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20400 size=50938 flags=0x0(none) hashes=1581+7 location=embedded
VersionPlatform=1
VersionMin=918016
VersionSDK=918528
Hash type=sha256 size=32
CandidateCDHash sha256=<redacted>
CandidateCDHashFull sha256=<redacted>
Hash choices=sha256
CMSDigest=<redacted>
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=2703360
Executable Segment flags=0x1
Page size=4096
CDHash=<redacted>
Signature size=4792
Authority=Apple Development: [email protected] (<redacted>)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Jul 27, 2024 at 22:35:20
Info.plist entries=24
TeamIdentifier=<redacted>
Sealed Resources version=2 rules=13 files=4
Internal requirements count=1 size=196
codesign -d --verbose=4 /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon
Executable=/User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon
Identifier= com.nsnolan.LockerRoomDaemon
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=8353 flags=0x0(none) hashes=250+7 location=embedded
VersionPlatform=1
VersionMin=918016
VersionSDK=918528
Hash type=sha256 size=32
CandidateCDHash sha256=<redacted>
CandidateCDHashFull sha256=<redacted>
Hash choices=sha256
CMSDigest=<redacted>
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=409600
Executable Segment flags=0x1
Page size=4096
CDHash=<redacted>
Signature size=4792
Authority=Apple Development: [email protected] (<redacted>)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Jul 27, 2024 at 22:35:18
Info.plist=not bound
TeamIdentifier=<redacted>
Sealed Resources=none
Internal requirements count=1 size=204
The launch daemon is not configured to RunAtLoad. In attempt to launch the daemon I send an XPC message from the application and observe the following log messages:
AMFI: Launch Constraint Violation (enforcing), error info: c[5]p[1]m[1]e[0], (Constraint not matched) launching proc[vc: 3 pid: 1948]: /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon, launch type 0, failure proc [vc: 3 pid: 1948]: /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon
ASP: Security policy would not allow process: 1948, /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon
And the following crash is reported:
Incident Identifier: 47BFEBAE-8BE8-443C-8705-EC7FB7269879
CrashReporter Key: E7C56EE2-21DE-F362-2A8E-B971E1F74B69
Hardware Model: MacBookPro18,3
Process: LockerRoomDaemon [1761]
Path: /Users/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon
Identifier: LockerRoomDaemon
Version: ???
Code Type: ARM-64 (Native)
Role: Default
Parent Process: launchd [1]
Coalition: com.nsnolan.LockerRoomDaemon [1209]
Date/Time: 2024-07-27 23:01:47.0847 -0500
Launch Time: 2024-07-27 23:01:46.9770 -0500
OS Version: macOS 14.2 (23C64)
Release Type: User
Report Version: 104
Exception Type: EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: CODESIGNING 4 Launch Constraint Violation
If I disable SIP and use ad-hoc signing the daemon launches and handles XPC messaging as expected. What am I missing that is triggering AMFI to detect a launch constraint violation?
I am under the impression that a macOS app does not require a provisioning profile and the Xcode UI seems to prevent me from configuring one. As an experiment I have also tried signing the daemon with the same identifier as the application (using the “Other code signing flags” setting in Xcode) but this did not resolve anything. However it did result in a slightly different log output.