In my app I have a relatively long chain of libs that call each other and starting with Yosemite part of it's functionality is broken due to code signing problems. This all worked nicely on Maverics.
My cocoa app uses Java to run a separate code part, which is necessary to access a java library (hbci4java.jar). This library then uses jni to call a wrapper dylib I provide to access the PCSC.framework of the system (smartcard).
Since Yosemite this doesn't work anymore, probably because of this:
28.10.14 15:29:17,096 com.apple.ctkpcscd[40978]: Refusing sandboxed PCSC.framework client without com.apple.security.smartcard entitlement
So far so easy. I added this smartcard entitlement to the apps entitlements as well as those I have for java (there's a separate java.entitlements file) - to no avail.
I'm now kinda stuck without knowning how to proceed. The smartcard entitlement is nowhere mentioned, so I don't know what to set actually (I used a bool and YES), nor where eactly that must be set.
Is it possible to add an entitlement to a 3rd party library? I would like to try adding it to the wrapper dylib (which is signed by me) to see if it can then access the PCSC.framework properly?
As it turned out this is a very special problem involving the smartcard dylib. Apple decided not to allow access to it outside of a signed app (which is a nuisance during development, we only sign the app in the deployment phase). Signing the java binaries (jar + dylib) did not make a difference, but without entitlements + signing at all for the Java files we got further (no problems anymore with signing subcomponentes).
Another problem that plays a role here is that it looks like the inheritance of the smartcard entitlement doesn't work (which makes this not working well for sandboxed apps either). With a simple pure cocoa application, accessing the smartcard works however, so we need a different solution here (probably moving the access layer for the smartcard into the application and communicate with the Java part via callbacks).