Thanks for the reply. The thing is this crash is only seen on iOS. I am thinking NSXPCConnection is not supported by developers on iOS. Anothing thing is I am using network extension framework，not network system extension. So I guess the encoding/decoding is done in framework itself. According to the doc，we just need to return NSError object in this function. In swift we return a enum error which conforms to customNSError. So I think it would be converted to NSError object implicitly. Any thoughts？

On macOS sometimes the VPN status is notified with Disconnected. But if we run ifconfig in terminal, the utun is up and running with well set configuration. This does not sound good to me and this issue could be seen out of three times a try in a row. Is this as expected or something that I am not aware of?

Tried it for the same case on iOS, and I found that when includeAllNetworks is set in the profile, the VPN status will get disconnected status after connecting. How should we use includeAllNetworks correctly on iOS/macOS? Any help is appreciate.

Hmm, it sounds reasonable and I will try to figure out the approach you suggested for notarization. Thanks again for all the detailed info, @eskimo

Hi @eskimo, Thank you for sharing me the debug process. And you are right, this file is indeed not signed. With this lead I found that this file is used to make an installer package before it is signed. This explains the issue here. So my next question is here we have two schemes, one for the app and the other one for the installer package. During the execution of the installer package, we were trying to copy the product of app scheme. We have a dependency within installer package scheme. And the app scheme is in the dependency. But it looks like it could not guarantee that app is signed before used. Do you know is there any way to make sure that the product of app scheme is signed before used/copied?

Hi @eskimo, After I add the entitlement, everything works great. Thanks very much for your help.

Hi @eskimo, Thanks for your advice and I will have a try with your suggestion. I have filed a bug and the information is described as below: FB10025450 (Keychain is not accessiable from system network extension via SecPKCS12Import function)

I got serveral errors here: Sandbox: com..(67423) deny(1) file-write-create /Library/Keychains/System.keychain.sb-bbfba64f-tncBHd Violation:    deny(1) file-write-create /Library/Keychains/System.keychain.sb-bbfba64f-tncBHd found a referenced key 0x7fb4639059c0 for key reference 140412741245376 [140412741245376] Error unwrapping private key CSSM Exception: 100001 UNIX[Operation not permitted] default 16:58:40.772517+0800 com.**** create /Library/Keychains/System.keychain.sb-bbfba64f-fmHziy: Operation not permitted default 16:58:40.772562+0800 com.**** UNIX error exception: 1 debug 16:58:40.773690+0800 com.**** 0 Security 0x00007ff82042b0b7 Security::CommonError::LogBacktrace() + 181 debug 16:58:40.773725+0800 com.**** 1 Security 0x00007ff82042b3fe Security::UnixError::UnixError(int, bool) + 314 debug 16:58:40.773741+0800 com.**** 2 Security 0x00007ff82042b454 Security::UnixError::throwMe(int) + 36 debug 16:58:40.773756+0800 com.**** 3 Security 0x00007ff8203770be Security::AtomicTempFile::create(unsigned short) + 870 debug 16:58:40.773767+0800 com.**** 4 Security 0x00007ff82037a8b9 Security::DbModifier::modifyDatabase() + 369 debug 16:58:40.773783+0800 com.**** 5 Security 0x00007ff820379273 Security::AppleDatabase::dataInsert(Security::DbContext&, unsigned int, cssm_db_record_attribute_data const*, Security::CssmData const*) + 109 debug 16:58:40.773799+0800 com.**** 6 Security 0x00007ff8202f32f7 Security::DatabaseSession::DataInsert(long, unsigned int, cssm_db_record_attribute_data const*, Security::CssmData const*, cssm_db_unique_record*&) + 117 debug 16:58:40.773813+0800 com.**** 7 Security 0x00007ff8202f27e8 cssm_DataInsert(cssm_dl_db_handle, unsigned int, cssm_db_record_attribute_data const*, cssm_data const*, cssm_db_unique_record**) + 131 debug 16:58:40.773824+0800 com.**** 8 Security 0x00007ff82036f0c3 CSSM_DL_DataInsert + 172 debug 16:58:40.773838+0800 com.**** 9 Security 0x00007ff8202d43bb SSDatabaseImpl::ssInsert(unsigned int, cssm_db_record_attribute_data const*, cssm_data const*) + 233 debug 16:58:40.773936+0800 com.**** 10 Security 0x00007ff8202d159b SSCSPDLSession::makeReferenceKey(SSCSPSession&, unsigned int, Security::CssmKey&, SSDatabase&, unsigned int, Security::CssmData const*) + 2125 debug 16:58:40.773977+0800 com.**** 11 Security 0x00007ff8202cac97 SSCSPSession::UnwrapKey(unsigned long long, Security::Context const&, Security::CssmKey const*, Security::CssmKey const&, unsigned int, unsigned int, Security::CssmData const*, cssm_resource_control_context const*, Security::CssmKey&, Security::CssmData&, unsigned long long) + 477 debug 16:58:40.774008+0800 com.**** 12 Security 0x00007ff8202cb9c7 non-virtual thunk to SSCSPSession::UnwrapKey(unsigned long long, Security::Context const&, Security::CssmKey const*, Security::CssmKey const&, unsigned int, unsigned int, Security::CssmData const*, cssm_resource_control_context const*, Security::CssmKey&, Security::CssmData&, unsigned long long) + 41 debug 16:58:40.774027+0800 com.**** 13 Security 0x00007ff8202f099b cssm_UnwrapKey(long, unsigned long long, cssm_context const*, cssm_key const*, cssm_key const*, unsigned int, unsigned int, cssm_data const*, cssm_resource_control_context const*, cssm_key*, cssm_data*, unsigned long long) + 232 debug 16:58:40.774068+0800 com.**** 14 Security 0x00007ff820373f56 CSSM_UnwrapKey + 242 debug 16:58:40.774104+0800 com.**** 15 Security 0x00007ff8203ff1a9 P12Coder::safeContentsParse(cssm_data const&, SecNssCoder&) + 3469 debug 16:58:40.774128+0800 com.**** 16 Security 0x00007ff8203b1e0a impExpPkcs12Import + 1994 debug 16:58:40.774149+0800 com.**** 17 Security 0x00007ff8203ae9d6 SecKeychainItemImport + 3216 debug 16:58:40.774171+0800 com.**** 18 Security 0x00007ff8203aef00 SecPKCS12Import + 315 Do you have any workaround or other solutions?

I am using createTCPConnection(to: endpoint, enableTLS: true, tlsParameters: nil, delegate: self) to create the TCP connection and there is a delegate function public func provideIdentity(for connection: NWTCPConnection, completionHandler completion: @escaping (SecIdentity, [Any]) -> Void). So I am supposed to send the SecIdentity back to server in the completionHandler. I have tried to disable the sandbox and SecPKCS12Import works great in the system extension. But I cannot figure it out when sandbox is enabled. Do you have any suggestions? Thanks in advance.