Unable to disable SIP on macOS 27 Beta 1

App & System Services Core OS
PaulTBT OP
Created 6d
Replies 1
Boosts 3
Views 367
Participants 2

I work for a company which develops as part of our product suite a System Extension implementing an Endpoint Security client.

Our local developer workflow for testing and validating changes is to build locally with Developer certificates (not a legitimate/production Developer ID certificate) and deploy local builds in to a VM, where to get the System Extension to load and be accepted we need to disable SIP & AMFI.

macOS 27 VM is refusing to allow me to disable SIP.

Is there an alternate approach we can use for this workflow to allow macOS VMs to accept our software when signing with a (same teamID, but different certificate to the provisioningprofile) developer certificate for local validation?

Answered by DTS Engineer in 892098022

Our local developer workflow for testing and validating changes is to build locally with Developer certificates (not a legitimate/production Developer ID certificate) and deploy local builds into a VM. Where to get the System Extension to load and be accepted, we need to disable SIP & AMFI.

If you've been granted the entitlement, why aren't you just signing for development with the entitlement?

Development builds ONLY run on machines that were attached to the account at the time the profile was generated (which is fine, as I believe you should be able to register VMs), so the pool of machines is so limited that you don't really need to worry/care about builds running in the wrong place.

Also, as a side note, I'd appreciate you filing a bug asking us to introduce a "Development Only" entitlement variant for Endpoint Security, then posting the bug number back here. That way any team (not just teams that have been approved for the entitlement) can use the entitlement in development builds. That's the same approach DriverKit uses and it's completely eliminated the whole SIP/AMFI issue you're dealing with.

Is there an alternate approach we can use for this workflow to allow macOS VMs to accept our software when signing with a (same teamID, but different certificate to the provisioning profile) developer certificate for local validation?

I specifically said "development" above, but you could also sign for ad hoc or TestFlight distribution. Basically, if your team has been granted the entitlement, I don't see any reason you HAVE to disable SIP.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Replies  1
Boosts  3
Views  367
Participants  2
DTS Engineer OP
Apple
6d
Recommended

Our local developer workflow for testing and validating changes is to build locally with Developer certificates (not a legitimate/production Developer ID certificate) and deploy local builds into a VM. Where to get the System Extension to load and be accepted, we need to disable SIP & AMFI.

If you've been granted the entitlement, why aren't you just signing for development with the entitlement?

Development builds ONLY run on machines that were attached to the account at the time the profile was generated (which is fine, as I believe you should be able to register VMs), so the pool of machines is so limited that you don't really need to worry/care about builds running in the wrong place.

Also, as a side note, I'd appreciate you filing a bug asking us to introduce a "Development Only" entitlement variant for Endpoint Security, then posting the bug number back here. That way any team (not just teams that have been approved for the entitlement) can use the entitlement in development builds. That's the same approach DriverKit uses and it's completely eliminated the whole SIP/AMFI issue you're dealing with.

Is there an alternate approach we can use for this workflow to allow macOS VMs to accept our software when signing with a (same teamID, but different certificate to the provisioning profile) developer certificate for local validation?

I specifically said "development" above, but you could also sign for ad hoc or TestFlight distribution. Basically, if your team has been granted the entitlement, I don't see any reason you HAVE to disable SIP.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

Unable to disable SIP on macOS 27 Beta 1
First post date Last post date
 
 
Q