Launch Daemon Embedded in Application Will Not Launch - Launch Constraint Violation

Question

I have a macOS application with an embedded launch daemon that exposes an XPC service. The launch daemon successfully registers with launchd using the ServiceManagement API:

% launchctl print system/com.nsnolan.LockerRoomDaemon                       
system/com.nsnolan.LockerRoomDaemon = {
    active count = 0
    path = (submitted by smd.303)
    type = Submitted
    state = spawn scheduled

    program identifier = Contents/MacOS/LockerRoomDaemon (mode: 2)
    parent bundle identifier = com.nsnolan.LockerRoom
    parent bundle version = 1
    BTM uuid = <redacted>
    default environment = {
        PATH => /usr/bin:/bin:/usr/sbin:/sbin
    }

    environment = {
        XPC_SERVICE_NAME => com.nsnolan.LockerRoomDaemon
    }

    domain = system
    minimum runtime = 10
    exit timeout = 5
    runs = 83
    last exit code = 78: EX_CONFIG

    endpoints = {
        "com.nsnolan.LockerRoomDaemon" = {
            port = 0xfaaab
            active = 0
            managed = 1
            reset = 0
            hide = 0
            watching = 0
        }
    }

    spawn type = interactive (4)
    jetsam priority = 40
    jetsam memory limit (active) = (unlimited)
    jetsam memory limit (inactive) = (unlimited)
    jetsamproperties category = daemon
    submitted job. ignore execute allowed
    jetsam thread limit = 32
    cpumon = default
    job state = spawn failed
    probabilistic guard malloc policy = {
        activation rate = 1/1000
        sample rate = 1/0
    }

    properties = partial import | supports transactions | resolve program | needs LWCR update | has LWCR
}

I have signed both the application and launch daemon with a the same developer certificate with the same (but redacted) team identifier:

% codesign -d --verbose=4 /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app
Executable=/User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoom
Identifier=com.nsnolan.LockerRoom
Format=app bundle with Mach-O thin (arm64)
CodeDirectory v=20400 size=50938 flags=0x0(none) hashes=1581+7 location=embedded
VersionPlatform=1
VersionMin=918016
VersionSDK=918528
Hash type=sha256 size=32
CandidateCDHash sha256=<redacted>
CandidateCDHashFull sha256=<redacted>
Hash choices=sha256
CMSDigest=<redacted>
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=2703360
Executable Segment flags=0x1
Page size=4096
CDHash=<redacted>
Signature size=4792
Authority=Apple Development: yeahrightgetlost@urayahoo.com (<redacted>)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Jul 27, 2024 at 22:35:20
Info.plist entries=24
TeamIdentifier=<redacted>
Sealed Resources version=2 rules=13 files=4
Internal requirements count=1 size=196

codesign -d --verbose=4 /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon 
Executable=/User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon
Identifier= com.nsnolan.LockerRoomDaemon
Format=Mach-O thin (arm64)
CodeDirectory v=20400 size=8353 flags=0x0(none) hashes=250+7 location=embedded
VersionPlatform=1
VersionMin=918016
VersionSDK=918528
Hash type=sha256 size=32
CandidateCDHash sha256=<redacted>
CandidateCDHashFull sha256=<redacted>
Hash choices=sha256
CMSDigest=<redacted>
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=409600
Executable Segment flags=0x1
Page size=4096
CDHash=<redacted>
Signature size=4792
Authority=Apple Development: yeahrightgetlost@urayahoo.com (<redacted>)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Jul 27, 2024 at 22:35:18
Info.plist=not bound
TeamIdentifier=<redacted>
Sealed Resources=none
Internal requirements count=1 size=204

The launch daemon is not configured to RunAtLoad. In attempt to launch the daemon I send an XPC message from the application and observe the following log messages:

AMFI: Launch Constraint Violation (enforcing), error info: c[5]p[1]m[1]e[0], (Constraint not matched) launching proc[vc: 3 pid: 1948]: /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon, launch type 0, failure proc [vc: 3 pid: 1948]: /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon

ASP: Security policy would not allow process: 1948, /User/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon

And the following crash is reported:

Incident Identifier: 47BFEBAE-8BE8-443C-8705-EC7FB7269879
CrashReporter Key:   E7C56EE2-21DE-F362-2A8E-B971E1F74B69
Hardware Model:      MacBookPro18,3
Process:             LockerRoomDaemon [1761]
Path:                /Users/USER/Library/Developer/Xcode/DerivedData/LockerRoom-eyzvsjkjmatcbndmhghzrtcwfqqf/Build/Products/Debug/LockerRoom.app/Contents/MacOS/LockerRoomDaemon
Identifier:          LockerRoomDaemon
Version:             ???
Code Type:           ARM-64 (Native)
Role:                Default
Parent Process:      launchd [1]
Coalition:           com.nsnolan.LockerRoomDaemon [1209]

Date/Time:           2024-07-27 23:01:47.0847 -0500
Launch Time:         2024-07-27 23:01:46.9770 -0500
OS Version:          macOS 14.2 (23C64)
Release Type:        User
Report Version:      104

Exception Type:  EXC_CRASH (SIGKILL (Code Signature Invalid))
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: CODESIGNING 4 Launch Constraint Violation

If I disable SIP and use ad-hoc signing the daemon launches and handles XPC messaging as expected. What am I missing that is triggering AMFI to detect a launch constraint violation?

I am under the impression that a macOS app does not require a provisioning profile and the Xcode UI seems to prevent me from configuring one. As an experiment I have also tried signing the daemon with the same identifier as the application (using the "Other Code Signing Flags" setting in Xcode) but this did not resolve anything.