I’ve lost you here. How does SecAccessCreate come into this? Is I understand, it's used to create a shared keychain ACL object to store inside passwordReference so it can be shared between main app and the extension: https://github.com/PhilipDukhov/wireguard-apple/blob/master/WireGuard/Shared/Keychain.swift#L43 Without these lines it asks password two times to create a tunnel. And still not working with dev id (step 2)

I'm using NETunnelProviderManager. For app NE I was getting paths of both the app and the extension using SecTrustedApplicationCreateFromPath, and storing those inside NETunnelProviderProtocol.passwordReference.kSecAttrAccess. you can check it out here: https://github.com/PhilipDukhov/wireguard-apple/blob/abc9819357bdc89b3f073adff179cc8c3250dd06/WireGuard/Shared/Keychain.swift#L43-L72 I'd changed path to meet the system extension, but as SecTrustedApplicationCreateFromPath is deprecated, maybe there`s an other way?

No, it's still the original issue. I'm customizing a custom vpn protocol(Wireguard) app, and trying to distribute it under Developmer ID. sample config for a connection looks like this: """ [Interface] PrivateKey = KDTZM/UpefTAosZmr75D4efcRrBYmbhSFguBye+692s= Address = 10.19.49.15/24, fd9d:bc11:4021::f/48 DNS = 172.26.246.127, fd4d:5a50:c7b:ed79:dbf6:bd7b:ca:f67f [Peer] PublicKey = wabNFqEBREl8rfHzJiYKqu+PZ54cwYEz0OiJZCZLwX8= PresharedKey = URrUUCS6Cg6TsgPTZmcYw5pyPpsIxJLnQ9+O9waZliE= AllowedIPs = 0.0.0.0/0, ::/0 Endpoint = 66.42.59.203:51820 """ Both config and info about extension path are stored inside passwordReference: NETunnelProviderManager.protocolConfiguration.passwordReference = SecAccessCreate([ kSecAttrAccess: SecAccessCreate(extensionPath, mainPath), kSecValueData: config ] ) (it's not the real code, just the basic structure) That's how tunnel connection gets created. I had to change this code, as system extension location is different from an app one. Also as system NE min deployment target is 10.15, these warnings appeared and that's why I think it may be a problem. I'd inspected all articles I've found about this issue and I think I'd updated all the needed entitlements, that's why I'm looking in other directions. Is there any sample app with a working system NE example? I haven't found one

I tried to clear passwordReference, it didn't helper. I also found following method: activationRequestForExtension:queue:. I probably need to use it in order to use system extension? I tried it, and delegate returned an error: Error Domain=OSSystemExtensionErrorDomain Code=9 "Invalid extension configuration in Info.plist and/or entitlements" I checked entitlements with codesign -d --entitlements :- for both app and ext: Executable=/Users/dukhovphilip/Library/Developer/Xcode/DerivedData/WireGuard-dxjzqlxikgrrenbizfcyqonlyzgv/Build/Products/Debug/Bubble SecurityCloud.app/Contents/MacOS/Bubble SecurityCloud <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>FVMDZDYX72.com.bubble.bubble-vpn</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>FVMDZDYX72</string> <key>com.apple.security.application-groups</key> <array> <string>FVMDZDYX72.group.com.bubble.bubble-vpn</string> </array> <key>com.apple.security.get-task-allow</key> <true/> </dict> </plist> Executable=/Users/dukhovphilip/Library/Developer/Xcode/DerivedData/WireGuard-dxjzqlxikgrrenbizfcyqonlyzgv/Build/Products/Debug/Bubble SecurityCloud.app/Contents/Library/SystemExtensions/com.bubble.bubble-vpn.network-extension.systemextension/Contents/MacOS/com.bubble.bubble-vpn.network-extension <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>FVMDZDYX72.com.bubble.bubble-vpn.network-extension</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>FVMDZDYX72</string> <key>com.apple.security.application-groups</key> <array> <string>FVMDZDYX72.group.com.bubble.bubble-vpn</string> </array> <key>com.apple.security.get-task-allow</key> <true/> </dict> </plist> and info.plists: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>ATSApplicationFontsPath</key> <string>.</string> <key>BuildMachineOSBuild</key> <string>20B29</string> <key>CFBundleDevelopmentRegion</key> <string>en</string> <key>CFBundleExecutable</key> <string>Bubble SecurityCloud</string> <key>CFBundleIconFile</key> <string>AppIcon</string> <key>CFBundleIconName</key> <string>AppIcon</string> <key>CFBundleIdentifier</key> <string>com.bubble.bubble-vpn</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>Bubble SecurityCloud</string> <key>CFBundlePackageType</key> <string>APPL</string> <key>CFBundleShortVersionString</key> <string>1.2.7</string> <key>CFBundleSupportedPlatforms</key> <array> <string>MacOSX</string> </array> <key>CFBundleVersion</key> <string>202010031609</string> <key>DTCompiler</key> <string>com.apple.compilers.llvm.clang.1_0</string> <key>DTPlatformBuild</key> <string>12B45b</string> <key>DTPlatformName</key> <string>macosx</string> <key>DTPlatformVersion</key> <string>11.0</string> <key>DTSDKBuild</key> <string>20A2408</string> <key>DTSDKName</key> <string>macosx11.0</string> <key>DTXcode</key> <string>1220</string> <key>DTXcodeBuild</key> <string>12B45b</string> <key>ITSAppUsesNonExemptEncryption</key> <false/> <key>LSApplicationCategoryType</key> <string>public.app-category.utilities</string> <key>LSMinimumSystemVersion</key> <string>10.15</string> <key>LSMultipleInstancesProhibited</key> <true/> <key>LSUIElement</key> <true/> <key>NSHumanReadableCopyright</key> <string>Copyright © 2020 Bubble, Inc. All Rights Reserved.</string> <key>NSMainStoryboardFile</key> <string>Empty</string> <key>NSPrincipalClass</key> <string>NSApplication</string> <key>NSRequiresAquaSystemAppearance</key> <true/> <key>SMPrivilegedExecutables</key> <dict> <key>com.bubble.bubble-vpn.bubble-flexrouter-smjob</key> <string>anchor apple generic and identifier "com.bubble.bubble-vpn.bubble-flexrouter-smjob" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = FVMDZDYX72)</string> </dict> </dict> </plist> <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>BuildMachineOSBuild</key> <string>20B29</string> <key>CFBundleDevelopmentRegion</key> <string>en</string> <key>CFBundleDisplayName</key> <string>WireGuardNetworkExtension</string> <key>CFBundleExecutable</key> <string>com.bubble.bubble-vpn.network-extension</string> <key>CFBundleIdentifier</key> <string>com.bubble.bubble-vpn.network-extension</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>com.bubble.bubble-vpn.network-extension</string> <key>CFBundlePackageType</key> <string>XPC!</string> <key>CFBundleShortVersionString</key> <string>1.2.7</string> <key>CFBundleSupportedPlatforms</key> <array> <string>MacOSX</string> </array> <key>CFBundleVersion</key> <string>202010031609</string> <key>DTCompiler</key> <string>com.apple.compilers.llvm.clang.1_0</string> <key>DTPlatformBuild</key> <string>12B45b</string> <key>DTPlatformName</key> <string>macosx</string> <key>DTPlatformVersion</key> <string>11.0</string> <key>DTSDKBuild</key> <string>20A2408</string> <key>DTSDKName</key> <string>macosx11.0</string> <key>DTXcode</key> <string>1220</string> <key>DTXcodeBuild</key> <string>12B45b</string> <key>ITSAppUsesNonExemptEncryption</key> <false/> <key>LSMinimumSystemVersion</key> <string>10.15</string> <key>NetworkExtension</key> <dict> <key>NEMachServiceName</key> <string>FVMDZDYX72.com.bubble.bubble-vpn.network-extension</string> <key>NEProviderClasses</key> <dict> <key>com.apple.networkextension.packet-tunnel</key> <string>macDevIDNetworkExtension.PacketTunnelProvider</string> </dict> </dict> </dict> </plist> Those looks valid for me. What have I missed? Is there any other tools that can help me with diagnosing?