macosiokitentitlementsdriverkitmacos-system-extension

How should provisioning profile with com.apple.developer.driverkit.userclient-access look?

Our request to get the entitlement com.apple.developer.driverkit.userclient-access to access our Driverkit driver with bundle id com.example.driver for the app with bundle id com.example.app was processed but we are not sure that we got the correct entitlements. When we generate a new provisioning profile for the app and inspect it the entitlements in the profile with security cms -D -i it says:

<key>Entitlements</key>
    <dict>
        <key>com.apple.developer.driverkit</key>
        <true/>
        <key>com.apple.developer.driverkit.userclient-access</key>
        <true/>
        <key>com.example.driver</key>
        <true/>
        <key>com.apple.developer.system-extension.install</key>
        <true/>
        <key>com.apple.application-identifier</key>
        <string>1234567890.com.example.app</string>
        <key>keychain-access-groups</key>   
        <array>
                <string>1234567890.*</string>
        </array>
        <key>com.apple.developer.team-identifier</key>
        <string>1234567890</string>
    </dict>

Reading here it looks like the com.apple.developer.driverkit.userclient-access key value should be an array instead of a boolean (a comment here indicates that com.apple.developer.driverkit.userclient-access can be a boolean, but that is only when the entitlements are for a dext communicating with another dext)

Is the above entitlements in the provisioning profile correct? If not, how should the entitlements be? It would be super helpful if someone could post the entitlements in the provisioning profile for an app that can communicate with a driverkit driver.

Solution

  • The com.apple.developer.driverkit.userclient-access key should indeed be an array of strings with the bundle IDs listed. This is what I've got in the .entitlements file for the app in my "demo" DriverKit project which I use for prototyping things:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.driverkit.userclient-access</key>
    <array>
        <string>eu.dennis-jordan.DemoDriver.DemoDriverExtension</string>
    </array>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.temporary-exception.iokit-user-client-class</key>
    <array>
        <string>IOUserUserClient</string>
    </array>
</dict>
</plist>

    Note that this is a sandboxed app, so that's why com.apple.security.temporary-exception.iokit-user-client-class is also required.