Developer ID singed NetworkExtension App.

Question

xuming97 OP

Created May ’20

Replies 8

Boosts 0

Views 2.4k

Participants 2

Hi,

I use a NetworkExtension(packet-tunnel) and its container app to implement VPN on macOS. It's works well in my develop computer. But when I use Developer ID certification to ship this container app, the container app can be opened normally but the extension runs failed. There are some errors in system console logs.

neagent Rejecting app extension provider com.westone.secPortalmac.tunnel because it is signed with a Developer ID certificate

nesessionmanager NEVPNTunnelPlugin(com.westone.secPortalmac[67446]): Validation of the extension failed

I have followed eskimo's instruction in https://forums.developer.apple.com/thread/125508 to set system extension, but I have received the same errors.

Anyone can help me or give me some information?

Thanks.

Boost

Answer 1

DTS Engineer OP

Apple

May ’20

Have you notarised your product? If you want to run an a Developer ID signed sysex on a machine with SIP enabled — that is, most customer machines — it has to be notarised.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

xuming97 OP

May ’20

Yes, I have uploaded my app to notarise server through Xcode. The state of Developer ID arhive information is ready to distribute. Actually, my container app can be opened on a machine with SIP enabled. The problem is when the contianer app tried to turn on a VPN connection with Network Extension, it failed. The error logs in system console is:

neagent Rejecting app extension provider com.westone.secPortalmac.tunnel because it is signed with a Developer ID certificate
nesessionmanager NEVPNTunnelPlugin(com.westone.secPortalmac[67446]): Validation of the extension failed

0

Answer 3

DTS Engineer OP

Apple

May ’20

If you're packaged as a sysex and using the

-systemextension

variant of the entitlements and notarised and testing on 10.15.x, I’m not sure why this is failing in this way. If you can’t work it out then my advice is that you open a DTS tech support incident and I, or my colleague Matt, can dig into this some more.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

xuming97 OP

Jul ’20

I made the following configuration based on the information in the forum?

Container app id includes Network Extensions, Personal VPN, System Extension
Extension Tunnel id id includes Network Extensions, Personal VPN
The container app entitlements are as follows

Code Block <dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider-systemextension</string>
	</array>
	<key>com.apple.developer.networking.vpn.api</key>
	<array>
		<string>allow-vpn</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string></string>
	</array>
	<key>com.apple.security.device.usb</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)</string>
	</array>
</dict>
</plist>

4. Extension Tunnel id entitlements are as follows

Code Block <dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider-systemextension</string>
	</array>
	<key>com.apple.developer.networking.vpn.api</key>
	<array>
		<string>allow-vpn</string>
	</array>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string></string>
	</array>
	<key>com.apple.security.device.usb</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)</string>
	</array>
</dict>

5、 I use Developer ID signd app and uploaded my app to notarise server through Xcode

6. The APP still does not work properly

console.app show:

Code Block nw_path_evaluator_start [0D5BB27E-A47B-485A-9846-E410803D5E3D Hostname#d91ef292:0 generic, indefinite]
	path: satisfied (Path is satisfied), interface: en0, ipv4, dns
nw_path_evaluator_start [21C51CA5-8228-4177-A53E-2DC68D3C0C54 IPv4#1694037f:0 generic, indefinite]
	path: satisfied (Path is satisfied), interface: en0, ipv4, dns
Last disconnect error for WSTVpn changed from "none" to "因为发生了内部错误，VPN会话失败。"
Current bundle (/Applications/SecPortalMac.app) does not have a SystemExtensions directory
Saving configuration WSTVpn with existing signature {length = 20, bytes = 0x9c9fa6cc5340118337e2221ca19dbd46dc2202f9}

Are there any errors or omissions in the above steps？

0

Answer 5

DTS Engineer OP

Apple

Jul ’20

Code Block  Current bundle (/Applications/SecPortalMac.app) does not have a SystemExtensions directory

That suggests that you have a packaging problem. Check that your sysex is embedded with your container app at the right path, namely, YourContainer.app/Contents/Library/SystemExtensions/com.example.your.bundle-id.systemextension.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 6

xuming97 OP

Jul ’20

This path YourContainer.app/Contents/Library/SystemExtensions/com.example.your.bundle-id.systemextension does not exist 。

I made the following configuration based on the information in the forum?

But I want to ask if the integration steps above are correct? Is there something wrong?

0

Answer 7

xuming97 OP

Jul ’20

Thank you for answering my question。

I know what I didn't have Library/SystemExtensions path before. Because I did not initiate OSSystemExtensionRequest.activationRequest。

But I called this method, and there is still no path in the log.

Code Block Current bundle (/Users/30san/Desktop/mac/SecPortalMac.app) does not have a SystemExtensions directory

0

Answer 8

xuming97 OP

Jul ’20

Hi,

On mac OS, I have changed the app network extension to system netwok extension.

I opened the systemextensionsctl developer on debugging app.

When the app starts, it will prompt to allow the installation of system extensions.

But I feel that PacketTunnelProvider is not started.

In addition, is it necessary to configure NEMachServiceName in the system network extension info.plist?

This is log information：

Code Block  	14:41:56.950679+0800	SecPortalMac	[com.westone.secPortalmac] Requesting authorization with options 6 	14:41:56.954647+0800	SecPortalMac	open on /Users/30san/Library/Group Containers/group.westone.secPortalmac/conf.xml: File exists
 	14:41:56.955423+0800	SecPortalMac	open on /Users/30san/Library/Group Containers/group.westone.secPortalmac/engines.conf: File exists
 	14:41:56.971870+0800	SecPortalMac	nw_path_evaluator_start [560AD6E0-20DB-40EF-89E8-A686213E126E 192.168.199.55:0 generic, indefinite]
	path: satisfied (Path is satisfied), interface: en0, ipv4, dns
 	14:41:57.016957+0800	SecPortalMac	[com.westone.secPortalmac] Requested authorization [ didGrant: 1 hasError: 0 hasCompletionHandler: 1 ]
 	14:41:57.021634+0800	SecPortalMac	NSApp cache appearance:
-NSRequiresAquaSystemAppearance: 0
-appearance: (null)
-effectiveAppearance: <NSCompositeAppearance: 0x600002c0dc80
 (
		"<NSDarkAquaAppearance: 0x600002c0cb00>",
		"<NSSystemAppearance: 0x600002c0d580>"
)>
 	14:41:57.372159+0800	SecPortalMac	[com.westone.secPortalmac] Requesting authorization with options 6
 	14:41:57.372459+0800	SecPortalMac	[com.westone.secPortalmac] Requested authorization [ didGrant: 1 hasError: 0 hasCompletionHandler: 1 ]
 	14:41:57.377226+0800	SecPortalMac	Adding presenter 8F6CCFFE-7CE7-422A-996F-885319BB5C71 for URL: file:///Users/30san/Library/Developer/Xcode/DerivedData/OneNet-gfnflgusjdvyppaxijlkdrwgewtq/Build/Products/Debug/SecPortalMac.app/
 	14:42:06.802985+0800	SecPortalMac	LSExceptions shared instance invalidated for timeout.
 	14:42:07.896997+0800	SecPortalMac	Received configuration update from daemon (initial)
 	14:42:08.622606+0800	SecPortalMac	AggregateDictionary is not supported on this platform
 	14:42:09.930705+0800	SecPortalMac	 Saving configuration WSTVpn with existing signature {length = 20, bytes = 0x8140392a039a53b376befd72d619a6bfa0c1d7dc}
 	14:42:09.930855+0800	SecPortalMac	 Configuration WSTVpn is unchanged
 	14:42:09.930944+0800	SecPortalMac	The configuration was not saved because it was unchanged from the previously saved version

0