Embed provisioning profile #65
Description
Right now if a binary needs restricted entitlements then a host should have provisioning profile installed or the "app" should embed it. Otherwise error like the following will occur and macOS will kill the binary:
taskgated-helper Disallowing tart because no eligible provisioning profiles found
mac_vnode_check_signature: tart: code signature validation failed fatally: When validating tart:
Code has restricted entitlements, but the validation of its code signature failed.
I found this piece of documentation:
Some macOS products, like daemons and command-line tools, ship as a standalone executable. A standalone executable can’t claim a restricted entitlement because there’s no place to embed the provisioning profile that authorizes that claim. If your standalone executable needs to do this, wrap it in an app-like structure. For an example of this, see Signing a Daemon with a Restricted Entitlement.
If your standalone executable needs to do this, wrap it in an app-like structure. part is very concerning for just distributing binaries.
I haven't yet figured out how to embed provisioning profile with a binary so decided to create this issue/feature request to surface the use case and see if someone experienced it.