Hi,
We are developing software that configures a network extension via a system extension on MacOS.
The host application (run as service) enables network extension and system extension capabilities. It registers the network extension.
The network extension has network extension capabilities and configures an app-group to be bundled into the service.
What we have built is already working, i.e. we build, sign, notarize and ship the code (it's already running on hundreds of SIP enabled customer devices in production).
But, we are currently falling back to manual profile management (i.e. download and import the profile) so that Xcode accepts the entitlements suffixed with -systemextention.
Recently we are testing deployment on iOS devices. For iOS profiles we cannot overcome the issues with setting the profile manually, XCode complains about mismatching networkextension entitlements even when manually importing the profile.
So I thought I get to the bottom of why automated signing is not working and hopefully overcome the issues with iOS.
Upon configuring automatic signing we ran into the following problem:
For a network extension that is installed via a system extension the network extension capabilities are expected to be defined with a -systemextension suffix, i.e.:
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
<string>dns-settings</string>
<string>relay</string>
When using automated signing the profile in our development account reflects these settings, i.e. the profile is correctly generated with the values above.
However, XCode complains that the network extension capabilities don't match.
I went as far as to configuring a new application-ID so that XCode would generate a new profile in the development account. I then downloaded and decoded the generated profile.
The capabilities of the development portal profile were created as expected (as above), but somehow, the locally generated profile that is generated by XCode auto-sign expects:
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
<string>dns-settings</string>
<string>relay</string>
What XCode auto-sign expects is not reflected in the development account profile (!).
I tried to overcome this by changing the entitlements of the project to omit the -systemextension suffix.
XCode auto-sign seemingly works then, but once the application is actually signed by CodeSign the signing fails because the capabilities don't match with the development account profile.
I tried profile re-generation by clearing Library/Developer/Xcode/UserData/Provisioning Profiles, but it always results in the same problem - either XCode is happy and the code signing fails when building, or the other way round.
Bottom Line: I think that somehow XCode evaluates the profile validity differently from CodeSign; somehow when using automatic signing XCode does not take the network extension + system extension into account, but only expects the capabilities of the network extension.
If anybody know how to overcome this problem please help :)
