While processing outbound DNS queries via 'flows' we may attempt to open a TLS connection to port 443 or a TCP or UDP connection to port 53 using the Network framework As far as we know these always succeed. From the stack trace it appears that the problem occurs when the NetworkExtension is attempting to set up an NEAppProxyUDPFlow before handing it to us. It is not clear what the connection is if any between that and what we are doing via the Network framework

Have you checked whether the library you are using is actually embedded in your SystemExtension ?At "installation time" it is going to be copied out of the App into a directory under /Library/SystemExtensions, so it needs to be entirely self-contained.For example, if it is linked against a non-OS framework, that framework needs to be in /Library/SystemExtensions/<UUID><your-system-extension>/Contents/Frameworks

Once your connection is 'ready' you simply need to call receiveMessage() once.When a message is available your completion handler will be invoked.Once you have handled that message you can call receiveMessage() again from your completion handler if you want to receive further messagesAs far as I can tell from the code you have posted you are blocking the caller of your state update handler by calling your listen method which is simply sitting in a loop calling receiveMessage() which is probably preventing the 'connection' from doing anything else.

FWIW I have seen this problem when the SystemExtension executable name is not the same as the bundle identifier.If that doesn't work, then if you filter the console output on 'sysextd' when you are activating then you may actually see what the problem is, as sysextd log messages are usually quite detailed if there is a problem.

Filed via FeedbackAssistant: FB7678050

I guess the first question is do you notarize your app prior to running it ?

Have you tried looking for messages from sysextd etc in the console ?The error messages from sysextd can be very helpful sometimes.If you filter on your bundle-id or a prefix of your bundle id then try doing whatever it is that's failing you might see some more information about the actual problem.

Does the Other Code Sgning Flagssection of the Signing section of your Build settings include --timestamp?If that flag is present then an attempt will be made to obtain a signed timestamp from an Apple server.If your machine is off-line then the code signing step will fail.

Hi Rob,You should be able to stop the get-task-allowentitlement from automatically being added by setting Code Signing Inject Base Entitlementsin the Signing section of Build Settings to No for debug builds

I guess it depends on what your system extension is doing.For something like a DNSProxy NE probably the only thing you need to be able to do is open connections to a preferred DNS server which can be enabled be requesting the com.apple.security.network.cliententitlement whilest remaining sand-boxed.

Hi Rob,The only differences I can see from the configuration that works for me is the com.apple.security.get-task-allowentitlements and that the extension has the com.apple.security.app-sandboxset to false.What happens if you remove the com.apple.security.get-task-allowentitlements and set com.apple.security.app-sandboxto true ?

typedef NS_ERROR_ENUM(OSSystemExtensionErrorDomain, OSSystemExtensionErrorCode) { OSSystemExtensionErrorUnknown = 1, OSSystemExtensionErrorMissingEntitlement, OSSystemExtensionErrorUnsupportedParentBundleLocation, OSSystemExtensionErrorExtensionNotFound, OSSystemExtensionErrorExtensionMissingIdentifier, OSSystemExtensionErrorDuplicateExtensionIdentifer, OSSystemExtensionErrorUnknownExtensionCategory, OSSystemExtensionErrorCodeSignatureInvalid, OSSystemExtensionErrorValidationFailed, OSSystemExtensionErrorForbiddenBySystemPolicy, OSSystemExtensionErrorRequestCanceled, OSSystemExtensionErrorRequestSuperseded, OSSystemExtensionErrorAuthorizationRequired,} NS_ENUM_AVAILABLE_MAC(10.15);so 8 would be OSSystemExtensionErrorCodeSignatureInvalidDid you update your provisioning profile when you changed the entitlements ?

When signing with a Developer Id you need a different entitlement for each type of network extensionSo instead of content-filter-provideryou need content-filter-provider-systemextensionSee here for the official documentationhttps://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_networking_networkextension

Hi Rob,Which network extension entitlements are you requesting ?They are different depending on whether you are signing with a Developer Id or not.When signing with a developer id they take the suffix -systemextensionSo for a DNSProxyNE signed with a Developer Id the required entitlement is dns-proxy-systemextensionCurrently Xcode doesn't seem to know about this !

Creating a Provisioning Profile for a Developer Id the sequence is as followsSelect whether profile is for Development/Distribution [choose Developer ID and Continue]Select an App ID [Continue]Select Certificates [Continue]Additional EntitlementsThere is a drop-down menu Entitlements with the value Default.Its at this point that it should be possible to select the Endpoint security entitlement if it has been granted.I've just run through this sequence so it was working as of today [13.ii.2020].Note that it is NOT listed as a 'capability' when creating an App ID