I have a simple CLI app bundle that activates my system extension. When I sign it for development it works fine. However, once I sign it with my developer ID certificate for distribution, the network extension will not activate, getting stuck the activation request and completely killing any internet connectivity until I restart. The only thing that I see is different is when I call systemextensionsctl list I get something like: 1 extension(s) --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] <TEAM_ID> com.company.networkExt (1.0/240116145656) - [validating by category] * * <TEAM_ID> com.company.networkExt (1.0/240115061310) ProxyExtension [activated enabled] Where the one specifying [validating by category] is the one that I'm trying to activate signed with the developer ID cert. The one that is [activated enabled] got there from a dev build. The app was built and notarized and shows to be valid by any codesign -dv --verify --strict and spctl commands that I've found. The system extension is also valid according to codesign. The entitlements are adjusted to use the -systemextension suffix to work with Developer ID certificates. Is there another step required to make it work with a developer ID certificate?

I'm working on an app using entitlements. The entitlements are setup in its code signature and they are also applied in the corresponding provisioning profile. I embed said provisioning profile in the app, but when I launch the binary it gets rejected by taskgated-helper (as seen in console.app it says "profile not found"). However, if I install the same embedded provision profile it will work! So I can only assume taskgated-helper is not looking in the Contents/embedded.provisionprofile file when I try to run the binary? I can only imagine that the issue revolves around the binary not being the main bundle binary in the application, as that one works just fine without installing the profile. I would simply install the profile to fix the issue, but it brings other problems when trying to install the application in a headless environment (as opening the profile to install in system settings requires user interaction). Any ideas?