I did everything as described by eskimo one more time, from scratch.
I've been trying with the previously existing app and sysex IDs we had by just regenerating the provisioning profiles after modifying app entitlements and it didn't work. Now I tried using freshly generated ones, still seeing the same issue.
"neagent Rejecting app extension provider REDACTED.macos2.worker because it is signed with a Developer ID certificate"
So what I have now is this:
1. App
The code signature contains entitlements.
Sandbox entitlements:
User-selected files, read access: YES.
Allow outgoing network connections: YES.
Team identifier: “[TEAM]”.
Application groups: “group.[ID]”.
Application identifier: “[TEAM].[ID].macos2”.
Other entitlements:
keychain-access-groups: “[TEAM].keychain.[ID]”.
com.apple.developer.system-extension.install: YES.
com.apple.developer.networking.networkextension: “packet-tunnel-provider-systemextension”.
2. Sysex
The code signature contains entitlements.
Sandbox entitlements:
Allow outgoing network connections: YES.
Team identifier: “[TEAM]”.
Allow incoming network connections: YES.
Application groups: “group.[ID]”.
Application identifier: “[TEAM].[ID].macos2.worker”.
Other entitlements:
keychain-access-groups: “[TEAM].keychain.[ID]”.
com.apple.developer.networking.networkextension: “packet-tunnel-provider-systemextension”.
Are these entitlements OK?
I also verified that the profile has all com.apple.developer.networking.networkextension entitlements listed for both App and Sysex:
Profile:
<key>Entitlements</key>
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
</array>
Code signature claimed entitlements:
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
</array>