Network system extension : invalid signature or entitlements

Question

RobHDt OP

Created Feb ’20

Replies 19

Boosts 0

Views 6.4k

Participants 4

This forum has been very helpful so far. Lets do this again.

Okay, I have a Network system extension that successfully builds and runs on my offline dev machine with SIP disabled and a test provisioning profile that for whitelisted devices. NOTE this is a network system extension with a companion app (not an endpoint security extension that I've posted about previously)

So the next step is to get a distribution provisioning profile for the system extension so I can deploy over my beta testers that have SIP enabled. I generate these "Distribution Developer ID" provisoning profiles (provisioned for any device) for both the companion app and its embedded system extension. I transfer these over to my development machine, apply the provisioning profiles, build the app and test it to find that it works on this dev machine.

I then transfer the built components over to a machine with SIP enabled and run the app. I get the error Code Signature Invalid !

I've read through https://developer.apple.com/library/archive/technotes/tn2318/_index.html

However when I check the signature of the app and the embedded extension with `codesign -d --entitlements - [PATH]` (to app and extension) everything looks fine. Furthermore, checking the provisiong profile of both with `security cms -D -i [PROFILE_PATH]` everything seems fine.

What is going on ? why is this so ridiculously opaque and complicated ?

Answered by DTS Engineer in 409046022

I guess the first question is do you notarize your app prior to running it?

Right. I completely forgot about that requirement )-: If you’re using Developer ID signing with SIP, you must notarise.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

RobHDt OP

Mar ’20

This latest details are below:

codesign -d -vvv --entitlements :- /path/to/APP

Executable=[PATH_TO_EXE]

Identifier=[PREFIX].[APP_NAME]

Format=bundle with Mach-O thin (x86_64)

CodeDirectory v=20200 size=3213 flags=0x0(none) hashes=92+5 location=embedded

Hash type=sha256 size=32

CandidateCDHash sha256=98c28a99a6530599c6f781b5e1f2cce7bd3f8d21

CandidateCDHashFull sha256=98c28a99a6530599c6f781b5e1f2cce7bd3f8d21a680686653f40781d46fbb10

Hash choices=sha256

CMSDigest=98c28a99a6530599c6f781b5e1f2cce7bd3f8d21a680686653f40781d46fbb10

CMSDigestType=2

CDHash=98c28a99a6530599c6f781b5e1f2cce7bd3f8d21

Signature size=4663

Authority=Developer ID Application: [COMPANY_ID]

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Signed Time=[TIME]

Info.plist entries=26

TeamIdentifier=[TEAM_ID]

Sealed Resources version=2 rules=13 files=10

Internal requirements count=1 size=240

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.application-identifier</key>

<string>[TEAM_ID].[PREFIX].[APP_NAME]</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>content-filter-provider-systemextension</string>

<string>packet-tunnel-provider-systemextension</string>

<string>app-proxy-provider-systemextension</string>

<string>dns-proxy-systemextension</string>

</array>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.developer.team-identifier</key>

<key>com.apple.security.application-groups</key>

<array>

<string>[TEAM_ID].[PREFIX]</string>

</array>

<key>com.apple.security.files.user-selected.read-only</key>

<true/>

</dict>

</plist>

'security cms -D -i path/to/app'

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>AppIDName</key>

<string>Applet required to launch network extensions</string>

<key>ApplicationIdentifierPrefix</key>

<array>

</array>

<key>CreationDate</key>

<key>Platform</key>

<array>

</array>

<key>IsXcodeManaged</key>

<key>DeveloperCertificates</key>

<array>

</array>

<key>Entitlements</key>

<dict>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider-systemextension</string>

<string>app-proxy-provider-systemextension</string>

<string>content-filter-provider-systemextension</string>

<string>dns-proxy-systemextension</string>

</array>

<key>com.apple.application-identifier</key>

<string>[TEAM_ID].[PREFIX].[APP_NAME]</string>

<key>keychain-access-groups</key>

<array>

</array>

<key>com.apple.developer.team-identifier</key>

</dict>

<key>ExpirationDate</key>

<string>[APP_NAME] Distribution DevID</string>

<key>ProvisionsAllDevices</key>

<true/>

<key>TeamIdentifier</key>

<array>

</array>

<key>TeamName</key>

<string>[COMPANY_NAME]</string>

<key>TimeToLive</key>

<key>Version</key>

</dict>

</plist>

codesign -d -vvv --entitlements :- /path/to/APP/path/to/embedded_EXTENSION

Identifier=.[PREFIX].[EXT_NAME]

Format=bundle with Mach-O thin (x86_64)

CodeDirectory v=20200 size=3747 flags=0x0(none) hashes=109+5 location=embedded

Hash type=sha256 size=32

CandidateCDHash sha256=f37637fcbeebf8b56802309170d79a80d41b94a3

CandidateCDHashFull sha256=f37637fcbeebf8b56802309170d79a80d41b94a38d2c8cce69dfce9a57ef790d

Hash choices=sha256

CMSDigest=f37637fcbeebf8b56802309170d79a80d41b94a38d2c8cce69dfce9a57ef790d

CMSDigestType=2

CDHash=f37637fcbeebf8b56802309170d79a80d41b94a3

Signature size=4663

Authority=Developer ID Application: [COMPANY_ID]

Authority=Developer ID Certification Authority

Authority=Apple Root CA

Signed Time=Mar 3, 2020 at 10:18:28 AM

Info.plist entries=22

TeamIdentifier=[TEAM_ID]

Sealed Resources version=2 rules=13 files=2

Internal requirements count=1 size=228

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>com.apple.application-identifier</key>

<string>[TEAM_ID].[PREFIX].[EXT_NAME]</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>content-filter-provider-systemextension</string>

<string>packet-tunnel-provider-systemextension</string>

<string>app-proxy-provider-systemextension</string>

<string>dns-proxy-systemextension</string>

</array>

<key>com.apple.developer.team-identifier</key>

<key>com.apple.security.application-groups</key>

<array>

<string>[TEAM_ID].[PREFIX]</string>

</array>

</dict>

</plist>

'security cms -D -i path/to/app/path/embedded/ext'

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>AppIDName</key>

<string>[description]</string>

<key>ApplicationIdentifierPrefix</key>

<array>

</array>

<key>CreationDate</key>

<key>Platform</key>

<array>

</array>

<key>IsXcodeManaged</key>

<key>DeveloperCertificates</key>

<array>

</array>

<key>Entitlements</key>

<dict>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>packet-tunnel-provider-systemextension</string>

<string>app-proxy-provider-systemextension</string>

<string>content-filter-provider-systemextension</string>

<string>dns-proxy-systemextension</string>

</array>

<key>com.apple.application-identifier</key>

<string>[TEAM_ID].[PREFIX].[EXT_NAME]</string>

<key>keychain-access-groups</key>

<array>

</array>

<key>com.apple.developer.team-identifier</key>

</dict>

<key>ExpirationDate</key>

<key>ProvisionsAllDevices</key>

<true/>

<key>TeamIdentifier</key>

<array>

</array>

<key>TeamName</key>

<string>[COMPANY_NAME]</string>

<key>TimeToLive</key>

<key>Version</key>

</dict>

</plist>

0

Answer 2

DTS Engineer OP

Apple

Mar ’20

Accepted Answer

I guess the first question is do you notarize your app prior to running it?

Right. I completely forgot about that requirement )-: If you’re using Developer ID signing with SIP, you must notarise.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 3

RobHDt OP

Mar ’20

Hi everyone,

The app & system extension is now working on a SIP enabled device. correct entitlements AND notarization was required.

May I suggest detailing somewhere in the logs whether the issues is with signiture, or entitlements or notarization ? and specifically which entitlement.

During the notarization process you get clear instructions on whats missing if it fails. But whilest trying to run the app you just get a generic error on something to do with the many signing requirements.

Thank you very much for all your help on this one.

BR

0

Answer 4

vanillan OP

Mar ’20

Hello, here I want to ask a question. As you said:

Okay, I have a Network system extension that successfully builds and runs on my offline dev machine with SIP disabled and a test provisioning profile that for whitelisted devices. NOTE this is a network system extension with a companion app (not an endpoint security extension that I've posted about previously)

What steps I need to do as successfully as you to build and run a extension on a dev machine. Need Request Entitlement? Provisioning profile? What are the specific steps?

Thanks in advance.

0