Suddenly between 07/March/22 and 11/March/22 my entire team stopped to be able to create a non-crashing build for our macOS app. The project builds correctly but the app crashes with: dyld: Library not loaded: @rpath/[redacted]/Versions/A/[redacted] Referenced from: /Users/[redacted]/Library/Developer/Xcode/DerivedData/[redacted]-afjccazdqnhlzphdcplakowpjfyi/Build/Products/Release/MyApp.app/Contents/MacOS/MyApp Reason: no suitable image found. Did find: /Users/[redacted]/Library/Developer/Xcode/DerivedData/[redacted]-afjccazdqnhlzphdcplakowpjfyi/Build/Products/Release/MyApp.app/Contents/MacOS/../Frameworks/[redacted].framework/Versions/A/[redacted]: code signature invalid for '/Users/[redacted]/Library/Developer/Xcode/DerivedData/[redacted]-afjccazdqnhlzphdcplakowpjfyi/Build/Products/Release/MyApp.app/Contents/MacOS/../Frameworks/[redacted].framework/Versions/A/[redacted]' Summary: no suitable image found. and code signature invalid In console we see: error 12:33:50.270929+0000 taskgated-helper ConfigurationProfiles com.apple.ManagedClient ProvisioningProfiles Disallowing org.cocoapods.[redacted] because no eligible provisioning profiles found error 12:33:50.271244+0000 amfid amfid com.apple.MobileFileIntegrity amfid CPValidateProvisioningDictionariesExtViaBridge returned invalid result: { success = 0; } This is the signature pf the above framework from inside the application bundle: The framework crashing is a Pod and our project has a mix of pods and swift packages. We tried to build several older commits thinking we screwed up something in the project but the result is not changing, so seems obvious the issue is in the environment. We are using Xcode 13.2.1 on macOS 11.6.5 (yeah, IT is blocking macOS 12 upgrade) We cleaned the project, re-downloaded all certificates and changed our signing from manual to automatic, just for testing. No changes. I'm aware of changes in certificates and some known problems on Xcode <13.4 but the timing doesn't match exactly. Any clue? Additional info: This is just one of the components crashing, other binaries are crashing for the same reason but different frameworks. This is a comparison between the framework with the invalid signature and the same framework from an old working build Working: sudo codesign -dv [redacted].framework --extract-certificates Password: Executable=/Applications/[redacted].app/Contents/Frameworks/[redacted]g.framework/Versions/Current/[redacted] Identifier=org.cocoapods.[redacted] Format=bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20400 size=1092 flags=0x0(none) hashes=27+3 location=embedded Signature size=8960 Timestamp=1 Feb 2022 at 13:00:40 Info.plist entries=20 TeamIdentifier=[redacted] Sealed Resources version=2 rules=13 files=1 Internal requirements count=1 size=192 Crashing: sudo codesign -dv [redacted].framework --extract-certificates Password: Executable=/Users/[redacted]/Developer/[redacted]/Builds/Release/InstallerComponents.dst/Applications/[redacted].app/Contents/Frameworks/[redacted].framework/Versions/Current/[redacted] Identifier=org.cocoapods.[redacted] Format=bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=1164 flags=0x10000(runtime) hashes=27+5 location=embedded Signature size=8961 Timestamp=15 Mar 2022 at 11:15:56 Info.plist entries=20 TeamIdentifier=[redacted] Runtime Version=12.1.0 Sealed Resources version=2 rules=13 files=1 Internal requirements count=1 size=224

Hi All, I have a NEDNSProxyProvider System Extension and my logs are full of sandbox violations, all like: error 2021-09-21 10:42:30.557390 -0400 sandboxd com.apple.sandbox.reporting violation System Policy: com.myCompany.mac(640) deny(1) system-privilege 10006 Violation: deny(1) system-privilege 10006 Process: com.myCompany.mac [640] Path: /Library/SystemExtensions/4375ED6E-69A9-4897-8B39-4252AD9843AD/com.myCompany.macos.netext.dnsproxy.systemextension/Contents/MacOS/com.myCompany.macos.netext.dnsproxy Load Address: 0x1028a8000 Identifier: com.myCompany.macos.netext.dnsproxy Version: 78 (2.0.0) Code Type: arm64 (Native) Parent Process: launchd [1] Responsible: /Library/SystemExtensions/4375ED6E-69A9-4897-8B39-4252AD9843AD/com.myCompany.macos.netext.dnsproxy.systemextension/Contents/MacOS/com.myCompany.macos.netext.dnsproxy User ID: 0 Date/Time: 2021-09-21 10:42:30.522 EDT OS Version: macOS 11.6 (20G165) Report Version: 8 MetaData: {"uid":0,"summary":"deny(1) system-privilege 10006","errno":1,"hardware":"J293","operation":"system-privilege","apple-internal":false,"pid":640,"platform-binary":false,"primary-filter":"privilege-id","privilege-id":"PRIV_NET_PRIVILEGED_NECP_MATCH","process":"com.myCompany.mac","profile-flags":0,"target":"PRIV_NET_PRIVILEGED_NECP_MATCH","build":"macOS 11.6 (20G165)","flags":5,"team-id":"7NM7G573E4","platform-policy":true,"profile":"platform","responsible-process-path":"\/Library\/SystemExtensions\/4375ED6E-69A9-4897-8B39-4252AD9843AD\/com.myCompany.macos.netext.dnsproxy.systemextension\/Contents\/MacOS\/com.myCompany.macos.netext.dnsproxy","signing-id":"com.myCompany.macos.netext.dnsproxy","platform_binary":"no","action":"deny","process-path":"\/Library\/SystemExtensions\/4375ED6E-69A9-4897-8B39-4252AD9843AD\/com.myCompany.macos.netext.dnsproxy.systemextension\/Contents\/MacOS\/com.myCompany.macos.netext.dnsproxy","normalized_target":["PRIV_NET_PRIVILEGED_NECP_MATCH"],"primary-filter-value":"PRIV_NET_PRIVILEGED_NECP_MATCH"} Thread 0 (id: 5185): 0 libsystem_kernel.dylib 0x0000000195f13eac __sigsuspend_nocancel + 8 1 libdispatch.dylib 0x0000000195dab518 _dispatch_sigsuspend + 48 2 libdispatch.dylib 0x0000000195dab4e8 _dispatch_sigsuspend + 0 Thread 1 (id: 32979): 0 libsystem_kernel.dylib 0x0000000195f0ea8c __workq_kernreturn + 8 1 libsystem_pthread.dylib 0x0000000195f438e8 _pthread_wqthread + 352 2 libsystem_pthread.dylib 0x0000000195f425d4 start_wqthread + 8 Thread 2 (id: 33109): 0 libsystem_kernel.dylib 0x0000000195f1111c socket + 8 1 libnetwork.dylib 0x0000000199d74658 nw_interface_create_with_index_and_name + 220 2 libnetwork.dylib 0x0000000199d73c7c nw_interface_create_with_index + 180 3 NetworkExtension 0x00000001a310de10 -[NEAppProxyFlow initWithNEFlow:queue:] + 432 4 NetworkExtension 0x00000001a310fc70 -[NEAppProxyUDPFlow initWithNEFlow:queue:] + 48 5 NetworkExtension 0x00000001a31425b8 -[NEExtensionAppProxyProviderContext flowDivertNewFlow:completionHandler:] + 556 6 NetworkExtension 0x00000001a31419f8 __88-[NEExtensionAppProxyProviderContext setInitialFlowDivertControlSocket:extraValidation:]_block_invoke.106 + 72 7 NetworkExtension 0x00000001a3172404 __flow_startup_block_invoke.116 + 156 8 libdispatch.dylib 0x0000000195d96128 _dispatch_call_block_and_release + 32 9 libdispatch.dylib 0x0000000195d97ec0 _dispatch_client_callout + 20 10 libdispatch.dylib 0x0000000195d9f6a8 _dispatch_lane_serial_drain + 620 11 libdispatch.dylib 0x0000000195da02a4 _dispatch_lane_invoke + 404 12 libdispatch.dylib 0x0000000195daab74 _dispatch_workloop_worker_thread + 764 13 libsystem_pthread.dylib 0x0000000195f4389c _pthread_wqthread + 276 14 libsystem_pthread.dylib 0x0000000195f425d4 start_wqthread + 8 Thread 3 (id: 33293): 0 libsystem_kernel.dylib 0x0000000195f0ea8c __workq_kernreturn + 8 1 libsystem_pthread.dylib 0x0000000195f438e8 _pthread_wqthread + 352 2 libsystem_pthread.dylib 0x0000000195f425d4 start_wqthread + 8 Thread 4 (id: 33296): 0 0x0000000000000000 Binary Images: 0x195d94000 - 0x195dd8807 libdispatch.dylib (1271.120.2) <4edd5f72-2296-3891-b2a1-6741db6c05c9> /usr/lib/system/libdispatch.dylib 0x195f0c000 - 0x195f3ffff libsystem_kernel.dylib (7195.141.6) <fa7e835c-cb30-3d98-9331-30ce6584423d> /usr/lib/system/libsystem_kernel.dylib 0x195f40000 - 0x195f4cfff libsystem_pthread.dylib (454.120.2) <bdc1c5da-9499-3580-9588-2928de2440dd> /usr/lib/system/libsystem_pthread.dylib 0x199ba7000 - 0x19a2ef4ff libnetwork.dylib (2288.140.7) <992e11c6-a4c3-344f-80f9-d49fc41f9ebb> /usr/lib/libnetwork.dylib 0x1a3104000 - 0x1a335a1b3 com.apple.NetworkExtension (1.0 - 1) <66650680-34df-30c9-a215-46589cf2aa0e> /System/Library/Frameworks/NetworkExtension.framework/Versions/A/NetworkExtension and related error 2021-09-21 10:42:41.145014 -0400 kernel <Missing Description> System Policy: com.myCompany.mac(640) deny(1) system-privilege 10006 OS: macOS 11.6, sysext built with Xcode 12.5.1 The proxy works as expected. I've found a very similar post: here but the System extension is a NETransparentProxyManager and the solution is related to something we don't have (includeAllNetworks) Any clue?

Hi All, We have an app installed in /Applications/MyApp.app that embeds a system extension. Everything works as expected and the system extension (DNSProxy) is installed and runs perfectly. We also have a .pkg "Uninstaller" that alongside other tasks runs a rm -rf /Applications/MyApp.app in the pkg preinstall script. When we run the uninstaller all the files are deleted and all the processes are stopped excepted the System extension that is still alive and kicking: systemextensionsctl list * xxxxxxxxxxxx com.xxxxxx.macos.netext.dnsproxy (2.0.0/22) MyAppNE [activated enabled] The documentation states: language Uninstall a System Extension The system automatically uninstalls any system extensions when the user deletes the corresponding app. You can also uninstall a system extension by creating a deactivation request. Call the deactivationRequest(forExtensionWithIdentifier:queue:) method of OSSystemExtensionRequest and submit the resulting object to the OSSystemExtensionManager. But apparently, this isn't the case if the app is removed in this specific way. How are we supposed to uninstall the System Extension? running deactivationRequest(forExtensionWithIdentifier:queue:) method from the uninstaller pkg would be VERY tricky. Update: This entire post could be summarised with: Removing an app from Terminal doesn't remove the embedded system extension. This seems a HUGE limitation... how are we supposed to remove system extension via MDM or SSH for instance?

Hi All, I'm studying the new AUTH event ES_EVENT_TYPE_AUTH_IOKIT_OPEN introduced in the EndpointSecurity framework on macOS 11. The event is called correctly when someone tries to open a new IO device, for instance, any USB device. If the endpoint answers ES_AUTH_RESULT_DENY then the device is correctly stopped. In message->event I see an event of type es_event_iokit_open_t /**@brief Open a connection to an I/O Kit IOService *@field user_client_type A constant specifying the type of connection to be *    created, interpreted only by the IOService's family.This field corresponds to the type argument to IOServiceOpen(). * @field user_client_class Meta class name of the user client instance.* This event is fired when a process calls IOServiceOpen() in order to open * a communications channel with an I/O Kit driver. The event does notcorrespond to driver <-> device communication and is neither providing * visibility nor access control into devices being attached.  */ typedef struct { uint32_t user_client_type; es_string_token_t user_client_class; uint8_t reserved[64]; } es_event_iokit_open_t; Unfortunately, the header says:  The event does notcorrespond to driver <-> device communication and is neither providing * visibility nor access control into devices being attached. My question is: How can I get info about the device? for instance: Name Vendor Type etc... Do I need to use IOKit? In this case, How can I connect the event to the device? Thanks

Hi All,Starting from the SimpleFirewall Apple Network Extension example I managed to create an app with an Endpoint Security extension.From the console I can see that the app is starting correctly and the System Extension is registered and loaded correctly by Sysextd:attempting to realize extension with identifier com.***.***.endpointBut then the system extensions fails with:System extension request failed: Invalid extension configuration in Info.plist and/or entitlementsThat is the same error I can see settings a breakpoint in: func request(_ request: OSSystemExtensionRequest, didFailWithError error: Error)Note 1: My provisioning profile doesn't contain yet a com.apple.developer.endpoint-security.client (requested but not yet approved) but I removed it from the .entitlements file and added to the system extension info.plist, for development "should" be ok right?Note 2: Keeping the entitlement in the .entitlements file but not having it in the Provisioning Profile obviously causes an error:com.***.zuul: Unsatisfied entitlements: com.apple.developer.endpoint-security.clientWhat am I missing?I noticed that the SimpleFirewall has a special configuration in the info.plist&lt;key&gt;com.apple.developer.networking.networkextension&lt;/key&gt; &lt;array&gt; &lt;string&gt;content-filter-provider&lt;/string&gt; &lt;/array&gt;do I need to add something similar to the Endpoint Security?