Recently we have got serveral crash report from Organizer. The crash is about cancelTunnelWithError API usage in network extension. Last Exception Backtrace: 0 CoreFoundation 0x1d879140c __exceptionPreprocess + 160 (NSException.m:202) 1 libobjc.A.dylib 0x1d1a71c10 objc_exception_throw + 56 (objc-exception.mm:356) 2 Foundation 0x1d2b29448 -[NSXPCEncoder _checkObject:] + 288 (NSXPCCoder.m:0) 3 Foundation 0x1d2b29114 -[NSXPCEncoder _encodeUnkeyedObject:] + 36 (NSXPCCoder.m:396) 4 Foundation 0x1d2b28ddc -[NSXPCEncoder _encodeArrayOfObjects:forKey:] + 180 (NSXPCCoder.m:523) 5 Foundation 0x1d2b2ba24 -[NSDictionary(NSDictionary) encodeWithCoder:] + 568 (NSDictionary_Foundation.m:47) 6 Foundation 0x1d2b28ff8 -[NSXPCEncoder _encodeObject:] + 436 (NSXPCCoder.m:373) 7 Foundation 0x1d2b28ddc -[NSXPCEncoder _encodeArrayOfObjects:forKey:] + 180 (NSXPCCoder.m:523) 8 Foundation 0x1d2b2ba24 -[NSDictionary(NSDictionary) encodeWithCoder:] + 568 (NSDictionary_Foundation.m:47) 9 Foundation 0x1d2b28ff8 -[NSXPCEncoder _encodeObject:] + 436 (NSXPCCoder.m:373) 10 Foundation 0x1d2b28ddc -[NSXPCEncoder _encodeArrayOfObjects:forKey:] + 180 (NSXPCCoder.m:523) 11 Foundation 0x1d2b2ba24 -[NSDictionary(NSDictionary) encodeWithCoder:] + 568 (NSDictionary_Foundation.m:47) 12 Foundation 0x1d2b28ff8 -[NSXPCEncoder _encodeObject:] + 436 (NSXPCCoder.m:373) 13 Foundation 0x1d2b54378 _NSXPCSerializationAddInvocationWithOnlyObjectArgumentsArray + 112 (NSXPCCoder_InvocationSerialization.m:36) 14 Foundation 0x1d2b49c2c -[NSXPCEncoder _encodeInvocationObjectArgumentsOnly:count:typeString:selector:isReply:into:] + 208 (NSXPCCoder.m:498) 15 Foundation 0x1d2b472dc _sendReplyArgumentsOnly + 172 (NSXPCConnection.m:359) 16 Foundation 0x1d30649f8 __64-[NSXPCConnection _decodeAndInvokeMessageWithEvent:reply:flags:]_block_invoke_4 + 92 (NSXPCConnection.m:573) 17 Foundation 0x1d2baef90 -[_NSXPCConnectionRequestedReplies endTransactionForSequence:completionHandler:] + 192 (NSXPCConnectionHelpers.m:516) 18 Foundation 0x1d3064974 __64-[NSXPCConnection _decodeAndInvokeMessageWithEvent:reply:flags:]_block_invoke_3 + 148 (NSXPCConnection.m:569) 19 NetworkExtension 0x1ee499f6c -[NEExtensionProviderContext cancelWithError:] + 196 (NEExtensionProviderContext.m:247) 20 NetworkExtension 0x1ee49ccb8 -[NEExtensionTunnelProviderContext cancelWithError:] + 68 (NEExtensionTunnelProviderContext.m:185) 21 NetworkExtension 0x1ee578bdc -[NEPacketTunnelProvider cancelTunnelWithError:] + 164 (NEPacketTunnelProvider.m:84) 22 *****PacketTunnelProvider 0x100659318 *****PacketTunnelProvider.cancelTunnelWithError(_:) + 360 (*****PacketTunnelProvider.swift:162) 23 *****PacketTunnelProvider 0x100659370 @objc *****PacketTunnelProvider.cancelTunnelWithError(_:) + 56 (<compiler-generated>:0) 24 ***** 0x100778c70 *****PacketTunnelProviderImpl.cancelTunnelWithError(_:cancelingFunction:) + 720 (******PacketTunnelProviderImpl.swift) 25 ***** 0x10077e434 closure #1 in *****PacketTunnelProviderImpl.****** 26 MCKit 0x1007b9934 partial apply for closure #1 in *****PacketTunnelProviderImpl.****(****) + 32 (<compiler-generated>:0) 27 MCKit 0x100774e9c thunk for @escaping @callee_guaranteed @Sendable (@guaranteed Data?, @guaranteed NSURLResponse?, @guaranteed Error?) -> () + 148 (<compiler-generated>:0) 28 CFNetwork 0x1d9774e60 __40-[__NSURLSessionLocal taskForClassInfo:]_block_invoke + 476 (LocalSession.mm:718) 29 CFNetwork 0x1d9783da8 __49-[__NSCFLocalSessionTask _task_onqueue_didFinish]_block_invoke_2 + 156 (LocalSessionTask.mm:544) 30 libdispatch.dylib 0x1df5347a8 _dispatch_call_block_and_release + 24 (init.c:1518) 31 libdispatch.dylib 0x1df535780 _dispatch_client_callout + 16 (object.m:560) 32 libdispatch.dylib 0x1df5106fc _dispatch_lane_serial_drain$VARIANT$armv81 + 600 (queue.c:3885) 33 libdispatch.dylib 0x1df5111e4 _dispatch_lane_invoke$VARIANT$armv81 + 432 (queue.c:3976) 34 libdispatch.dylib 0x1df51af14 _dispatch_workloop_worker_thread + 608 (queue.c:6507) 35 libsystem_pthread.dylib 0x2227ddbd0 _pthread_wqthread + 284 (pthread.c:2618) 36 libsystem_pthread.dylib 0x2227dd720 start_wqthread + 8 So we have some self defined error enums which conforms CustomNSError protocol. Not sure if there is something wrong from Error in swift to NSError in objective-c. This issue is not existed for old iOS version before. And the same code works fine on macOS.

I am trying to set includeAllNetworks flags right now and I see some wield behaviors from macOS system: default 13:32:50.825941+0800 ***** <debug> newStatus = Connecting... default 13:32:51.816353+0800 ***** <debug> newStatus = Disconnected default 13:32:52.222371+0800 ***** <debug> newStatus = Connected The app which is observing VPN status gets notified with disconnected status between connecting and connected. And in some cases I find that app will never gets connected notification after disconnected. In that case tunnel interface and all tunnel network settings are well set. But our UI logic will just handle the disconnected case. If I just clear the includeAllNetwork flag, then everything is fine. default 14:13:50.075947+0800 *****<debug> newStatus = Connecting... default 14:13:50.829195+0800 *****<debug> newStatus = Connected The test environment is macOS 14.0 and I am using network extension framework for the status KVO. So I am just wondering if this is expected behavior or not. If this is expected, then is there any suggestion that I should use to work around it?

Hello, Regarding this explanation If this property is YES, the system excludes network connections to hosts on the local network — such as AirPlay, AirDrop, and CarPlay — but only when the includeAllNetworks or enforceRoutes property is also YES. So my question is the local network here only meaning AirPlay, AirDrop, and CarPlay? Is the pings to local LAN IP still working? What is the exactly the local network definition here? Is it based on the interface or the IPs? For example, somehow we connects to a wifi which assigned a public IP. After VPN is connected with tunnel all mode, we set includeAllNetworks and excludeLocalNetworks flag, will the traffic originally goes through wlan interface goes through utun interface? Or it will keep going through wlan interface?

Hi, We are building an sandbox enabled app which contains 1. One launch daemon 2. One launch agent 3. System extension which is contained in launch agent The launch daemon is outside of the sandbox. The launch agent and system extension is inside the sandbox. The launch agent is in good communicating with system daemon already. But recently the use case I am meeting is to comunnication between launch agent, launch daemon and systen extension daemon. 1. Launch agent sends request to launch daemon 2. launch daemon sends response to launch agent And 1. System extension sends request to launch daemon 2. Launch daemon sends response to system extension I have read some articles on the forum and understand that we can use machServices to make the XPC connection fulfilled in launch daemon. And we can use com.apple.security.temporary-exception.mach-lookup.global-name to eliminate the sandbox limitation between the daemon and agents. But when we do experiment, it always return Error Domain=NSCocoaErrorDomain Code=4097 "connection to service named com.*****.******" UserInfo={NSDebugDescription=connection to service named com.****.*****} I understand that the suggested debug method is making anonymous listener in the same process. But that looks like more for XPC service. I am not sure how to debug in the launchd. Is there any suggestion? BTW, the daemon is mainly implemented in C++ and the agent is in swift. So I use NSXPCConnection on both sides. I am wondering if it is the best fit for our purpose. Is there any good example that I can follow?

Hi, The notarization worked on last month but now it fails with the below information. --------------------------------------------------   createdDate: 2022-05-31T02:01:10.082Z   id: 780d608d-a183-4caf-aa71-ee93db254e1f   name: SonicWall Capture Client.4.0.1.Beta.pkg   status: Accepted And the submit logs show below error. I am not sure why it complains about "The binary is not signed". {  "logFormatVersion": 1,  "jobId": "0b893061-763a-4098-8a0b-a3cb003fa756",  "status": "Invalid",  "statusSummary": "Archive contains critical validation errors",  "statusCode": 4000,  "archiveFilename": "SonicWall Capture Client.4.0.3.Beta.pkg",  "uploadDate": "2022-06-10T07:45:06.781Z",  "sha256": "e8423747eb762a89b134f5ac4dd9f14b1b88f354dde9d3c24959b5cd829458a6",  "ticketContents": null,  "issues": [   {    "severity": "error",    "code": null,    "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",    "message": "The binary is not signed.",    "docUrl": null,    "architecture": "x86_64"   },   {    "severity": "error",    "code": null,    "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",    "message": "The signature does not include a secure timestamp.",    "docUrl": null,    "architecture": "x86_64"   },   {    "severity": "error",    "code": null,    "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",    "message": "The executable does not have the hardened runtime enabled.",    "docUrl": null,    "architecture": "x86_64"   },   {    "severity": "error",    "code": null,    "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",    "message": "The binary is not signed.",    "docUrl": null,    "architecture": "arm64"   },   {    "severity": "error",    "code": null,    "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",    "message": "The signature does not include a secure timestamp.",    "docUrl": null,    "architecture": "arm64"   },   {    "severity": "error",    "code": null,    "path": "SonicWall Capture Client.4.0.3.Beta.pkg/SESFiles.pkg Contents/Payload/Library/SonicWall/CaptureClient/SonicWall Capture Client.app/Contents/MacOS/SonicWall Capture Client",    "message": "The executable does not have the hardened runtime enabled.",    "docUrl": null,    "architecture": "arm64"   }  ] } Basically what I did is use notatytool to submit xcrun notarytool submit ./Installer/Build/4.0.1/SonicWall\ Capture\ Client.4.0.1.Beta.pkg --keychain-profile **** --wait --webhook "https://example.com/notarization" And actually I think I have set the several necessary options. export OTHER_CODE_SIGN_FLAGS\=--timestamp\ --options\=runtime export CODE_SIGN_INJECT_BASE_ENTITLEMENTS\=NO Any suggestions? Thanks in advance

Hi We are building an macOS application which integrates VPN functions right now. We are using developer ID ceritifcate to sign the app and system network extension and sandbox is enabled. One issue we are facing now is that we need to establish mTLS connection to server. During this connection, we need to send client certificate to server via provideIdentity() API. We have the certificate, key and p12 file which are generated in another daemon. But we can not use SecPkcs12Import function to import the p12 file in our system extension due to the sandbox limitation and the different context. I know that we cannot construct secIdentity object by ourselves. So I am wondering if there is any way that we can get the secIdentity object in system extension? Is it possible to send secIdentity object between app and system extension?