I have an app which is installing a system extension. On startup I want to know if it's already been installed or not (because if it hasn't I want to show some information to the user).
I have not been able to find an ObjC or Swift method that allows me to ask if a given extension has been installed.
I know I can run systemextensionctl list and parse the output but I don't want to have to fork a shell command if I don't have to.
Post
Replies
Boosts
Views
Activity
In reference to this related question: forum question 678260
I have an application that is codesigned and notarized to install a VPN extension using the NextworkExtension plugin. It works great in Xcode in debug.
In release builds that are notarized the network extension is rejected when I try to load it. The only way we were able to get the extension to load is by going through the system extension API.
**Quinn, is it possible to distribute Developer ID-signed apps that install NetworkExtension components outside the App Store without having to use System Extension?
**
The 4 UIs that the user has to jump through to allow System Extensions is going to be a huge problem for non-technical user base.
CONSOLE output when installed from a notarized pkg:
NEVPNTunnelPlugin(com.foo.bar[inactive]): Validation of the extension failed
and
Provider com.foo.bar validation failed: Error Domain=NEFilterErrorDomain Code=1 "(null)"
I have a parent app that contains a child app in the bundle. The child app uses applescript to trigger some events in the parent app.
Now that I'm preparing for App Store I have sandboxed the apps and I am missing something with the entitlements that I don't understand.
In the parent app I have defined the .sdef and I can dump it with sdef /Applications/Parent.app once installed from TestFlight and I see:
<!DOCTYPE dictionary SYSTEM "file://localhost/System/Library/DTDs/sdef.dtd">
<dictionary title="Parent">
<suite name="Parent Suite" code="prnt" description="Parent Scripts">
<command name="is_first_run" code="prntisfr" description="Is this the first time running the app?">
<cocoa class="MyScriptInterface"/>
</command>
<command name="activation_complete" code="prntWRac" description="Activation is complete">
<cocoa class="MyScriptInterface"/>
</command>
<command name="sign_out" code="prntWRso" description="Sign out and delete local credentials">
<cocoa class="MyScriptInterface"/>
</command>
<command name="get_version" code="prntgetv">
<cocoa class="MyScriptInterface"/>
<direct-parameter type="text" description="None"/>
<result type="text"/>
</command>
</suite>
</dictionary>
In the parent app I have the following included in the .plist:
<key>NSAppleEventsUsageDescription</key>
<string>AppleEvents needed to communicate between components</string>
<key>NSAppleScriptEnabled</key>
<true/>
<key>OSAScriptingDefinition</key>
<string>Parent.sdef</string>
In the Parent entitlements I include the following key parts:
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.scripting-targets</key>
<dict>
<key>com.foo.parent</key>
<array>
<string>com.foo.parent.is_first_run</string>
<string>com.foo.parent.activation_complete</string>
<string>com.foo.parent.sign_out</string>
<string>com.foo.parent.get_version</string>
</array>
<key>com.foo.parent.child</key>
<array>
<string>com.foo.parent.is_first_run</string>
<string>com.foo.parent.activation_complete</string>
<string>com.foo.parent.sign_out</string>
<string>com.foo.parent.get_version</string>
</array>
</dict>
In the Child app I have only this key:
<key>NSAppleScriptEnabled</key>
<true/>
And in the Child entitlements I have only this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
I am not getting something. When I install the app and watch Console output I see a combination of errors:
For the Parent app:
AppleEvents/sandbox: Returning errAEPrivilegeError/-10004 and denying dispatch of event prnt/isfr from process '<private>'/0x0-0x7dccdc5, pid=95806, because it is not entitled to send an AppleEvent to this process.
For the Child app from sandboxd:
Violation: deny(1) appleevent-send com.apple.systemevents
MetaData: {"platform-binary":false,"build":"macOS 12.3.1 (21E258)","sandbox_checker":"appleeventsd","process-path":"\/Applications\/Parent.app\/Contents\/MacOS\/Child.app\/Contents\/MacOS\/Child","profile-in-collection":false,"platform_binary":"no","primary-filter-value":"com.apple.systemevents","primary-filter":"appleevent-destination","checker":"appleeventsd","platform-policy":false,"policy-description":"Sandbox","summary":"deny(1) appleevent-send com.apple.systemevents","binary-in-trust-cache":false,"responsible-process-team-id":"367******2","target":"com.apple.systemevents","hardware":"Mac","pid":95806,"appleevent-destination":"com.apple.systemevents","flags":5,"responsible-process-signing-id":"com.foo.parent","apple-internal":false,"normalized_target":["com.apple.systemevents"],"checker-pid":359,"profile-flags":0,"operation":"appleevent-send","errno":1,"action":"deny","uid":501,"responsible-process-path":"\/Applications\/Parent.app\/Contents\/MacOS\/Parent","signing-id":"com.foo.parent.child","team-id":"367******2","container":"\/Users\/spartygw\/Library\/Containers\/com.foo.parent\/Data","process":"Child","release-type":"User"}
I'm developing a network extension and as part of the code/build/test loop I'm scripting removing all installation artifacts.
I haven't been able to figure out how to remove a network extension from script.
I know system extensions use systemextensionsctl but I couldn't find an equivalent.
I have an app that is packaged for the Mac App Store. It runs great but now I need to package a second app along with it as a supplementary .app.
I have constructed a test case with the smallest possible child app. All it does is open a window that says "success".
When I archive and distribute through TestFlight the child app crashes on startup.
I'm attaching the crash report below, but first, this is how I'm starting the child app from swift:
let url = Bundle.main.bundleURL.path + "/Contents/Plugins/Child.app/Contents/MacOS/Child"
process.executableURL = URL(fileURLWithPath:url)
process.terminationHandler = { (process) in
print("\ndidFinish: \(!process.isRunning)")
}
do {
try process.run()
} catch let error as NSError {
NSLog("Failed to execute %@", error.description)
}
The Child.app is being copied to the Plugins folder as part of the Xcode solution.
Attached is the crash report, here's a brief summary:
Exception Type: EXC_BAD_INSTRUCTION (SIGILL)
Exception Codes: 0x0000000000000001, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 4 Illegal instruction: 4
Terminating Process: exc handler [52231]
Application Specific Signatures:
SYSCALL_SET_PROFILE
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_secinit.dylib 0x7ff810c4b337 _libsecinit_appsandbox.cold.5 + 79
1 libsystem_secinit.dylib 0x7ff810c4a82f _libsecinit_appsandbox + 2221
2 libsystem_trace.dylib 0x7ff805be1848 _os_activity_initiate_impl + 51
3 libsystem_secinit.dylib 0x7ff810c49f41 _libsecinit_initializer + 67
4 libSystem.B.dylib 0x7ff810c5d8c5 libSystem_initializer + 286
5 dyld 0x1180b6d2b invocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 182
6 dyld 0x1180dd237 invocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 242
7 dyld 0x1180d483a invocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 557
8 dyld 0x1180a3db3 dyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 129
9 dyld 0x1180d45cb dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 179
10 dyld 0x1180dcd8e dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 466
11 dyld 0x1180b6c5e dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 144
12 dyld 0x1180bd1aa dyld4::PrebuiltLoader::runInitializers(dyld4::RuntimeState&) const + 30
13 dyld 0x1180ca3de dyld4::APIs::runAllInitializersForMain() + 38
14 dyld 0x1180a837d dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3443
15 dyld 0x1180a74d4 start + 388
crash-report.txt
I have an app that I'm building and signing and deploying for the Mac App Store.
I received an email that there were problems with the deployment that make no sense to me.
ITMS-90286: Invalid Code Signing Entitlements - Your application bundle's signature contains code signing entitlements that are not supported on macOS. Specifically, value '367****Y2.com.foo.foo-one.electron' for key 'com.apple.application-identifier' in 'Foo One.app/Contents/MacOS/Foo.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/libEGL.dylib' is not supported. This value should be a string starting with your TEAMID, followed by a dot '.', followed by the bundle identifier .
Say what now?
This value should be a string starting with your TEAMID, followed by a dot '.', followed by the bundle identifier .
But that is exactly what it is set to:
367****Y2.com.foo.foo-one.electron (asterisks just here to obscure our actual TeamID)
I have no idea how to proceed. Any advice?
Similar to this question thread 698452
As a followup to this question...
I have a parent app and an embedded child app. This child does nothing but open a WKWebView to a public URL as a test case.
In development I have the debug entitlements for Child.app to include:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
</dict>
</plist>
Building and running Child.app does as expected (opens a view and displays a public website).
Embedding this Child.app I have the entitlements set in Release as:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.inherit</key>
<true/>
</dict>
</plist>
The parent app that embeds Child.app has these entitlements:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider</string>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.foo</string>
</array>
<key>com.apple.security.automation.apple-events</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.bluetooth</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>
My understanding is that Child.app would inherit all of these entitlements and thus be able to open a website.
When I dump the entitlements of what gets installed via TestFlight I can confirm the entitlements are as I expect:
Executable=/Applications/Foo One.app/Contents/MacOS/Child.app/Contents/MacOS/Child
Warning: Specifying ':' in the path is deprecated and will not work in a future release
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>beta-reports-active</key><true/><key>com.apple.application-identifier</key><string>367***NY2.com.foo.Child</string><key>com.apple.developer.team-identifier</key><string>367***NY2</string><key>com.apple.security.app-sandbox</key><true/><key>com.apple.security.inherit</key><true/></dict>
I watch Console to see if anything jumps out at me but I don't see any errors yet Child.app displays a blank WKWebView and never even seems to try to connect to the URL.
I am embedding an Electron app within my main app for the macOS App Store.
The electron component needs an app group that is named TEAMID.bundle-id
But the web interface on developer.apple.com won't allow me to enter anything that isn't prefixed by group
I was trying to debug and NETunnelProviderManager loadAllFromPreferencesWithCompletionHandler keeps giving me an error that led me to this statement from many years ago:
https://developer.apple.com/forums/thread/101663
That it's not possible to debug iOS network extensions on a simulator. Is that still true?