Activating System Extension fails with OSSystemExtensionErrorExtensionNotFound

I am trying to activate a Network System Extension (Packet Tunnel), but all I get is OSSystemExtensionErrorDomain Code=4 "Extension not found in App bundle". Tried passing in different extension identifiers (prefixed with team ID, no team ID, prefixed with app-group, etc) with no luck.


I can confirm that the sysex is in app bundle at /Applications/app_name.app/Contents/Library/SystemExtensions/sysex name.systemextension

App and sysex are signed with Developer ID certificate and Notarized.


What am I missing?


App entitlements:

<key>Entitlements</key>
<dict>
    <key>com.apple.developer.ubiquity-container-identifiers</key>
    <array>
        <string>...redacted...</string>
        <string>...redacted...</string>
    </array>
            
    <key>com.apple.developer.system-extension.install</key>
    <true/>
            
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>packet-tunnel-provider-systemextension</string>
        <string>app-proxy-provider-systemextension</string>
        <string>content-filter-provider-systemextension</string>
        <string>dns-proxy-systemextension</string>
    </array>
            
    <key>com.apple.application-identifier</key>
    <string>TEAM_ID.com.company.appabc</string>
            
    <key>keychain-access-groups</key>
    <array>
        <string>TEAM_ID.*</string>
    </array>
            
    <key>com.apple.developer.team-identifier</key>
    <string>TEAM_ID</string>
            
    <key>com.apple.developer.ubiquity-kvstore-identifier</key>
    <string>TEAM_ID.*</string>
            
    <key>com.apple.developer.icloud-services</key>
    <string>*</string>
            
    <key>com.apple.developer.icloud-container-environment</key>
    <string>Production</string>
            
    <key>com.apple.developer.aps-environment</key>
    <string>production</string>
            
    <key>com.apple.developer.icloud-container-identifiers</key>
    <array>
        <string>iCloud.com.company.appabc</string>
        <string>iCloud.com.company.appabc</string>
    </array>
    <key>com.apple.developer.networking.vpn.api</key>
    <array>
        <string>allow-vpn</string>
    </array>
</dict>


SysEx entitlements:

<key>Entitlements</key>
<dict>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>packet-tunnel-provider-systemextension</string>
        <string>app-proxy-provider-systemextension</string>
        <string>content-filter-provider-systemextension</string>
        <string>dns-proxy-systemextension</string>
    </array>
            
    <key>com.apple.application-identifier</key>
    <string>TEAM_ID.com.company.appabc.PacketTunnelName</string>
            
    <key>keychain-access-groups</key>
    <array>
        <string>TEAM_ID.*</string>
    </array>
            
    <key>com.apple.developer.team-identifier</key>
    <string>TEAM_ID</string>
</dict>


App Info.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>BuildMachineOSBuild</key>
  <string>19E287</string>
  <key>CFBundleDevelopmentRegion</key>
  <string>en</string>
  <key>CFBundleDisplayName</key>
  <string>AppAbc</string>
  <key>CFBundleExecutable</key>
  <string>AppAbc</string>
  <key>CFBundleIconFile</key>
  <string>macOS_AppIcon</string>
  <key>CFBundleIconName</key>
  <string>macOS_AppIcon</string>
  <key>CFBundleIdentifier</key>
  <string>com.company.appabc</string>
  <key>CFBundleInfoDictionaryVersion</key>
  <string>6.0</string>
  <key>CFBundleName</key>
  <string>AppAbc</string>
  <key>CFBundlePackageType</key>
  <string>APPL</string>
  <key>CFBundleShortVersionString</key>
  <string>1.2.3</string>
  <key>CFBundleSupportedPlatforms</key>
  <array>
    <string>MacOSX</string>
  </array>
  <key>CFBundleVersion</key>
  <string>123</string>
  <key>DTCompiler</key>
  <string>com.apple.compilers.llvm.clang.1_0</string>
  <key>DTPlatformBuild</key>
  <string>11E146</string>
  <key>DTPlatformVersion</key>
  <string>GM</string>
  <key>DTSDKBuild</key>
  <string>19E258</string>
  <key>DTSDKName</key>
  <string>macosx10.15</string>
  <key>DTXcode</key>
  <string>1140</string>
  <key>DTXcodeBuild</key>
  <string>11E146</string>
  <key>ITSAppUsesNonExemptEncryption</key>
  <false/>
  <key>LSApplicationCategoryType</key>
  <string>public.app-category.productivity</string>
  <key>LSBackgroundOnly</key>
  <false/>
  <key>LSMinimumSystemVersion</key>
  <string>10.12</string>
  <key>LSUIElement</key>
  <false/>
  <key>NSHumanReadableCopyright</key>
  <string>Copyright...</string>
  <key>NSPrincipalClass</key>
  <string>NSApplication</string>
  <key>UIDeviceFamily</key>
  <array>
    <integer>1</integer>
    <integer>2</integer>
  </array>
</dict>
</plist>


SysEx Info.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>BuildMachineOSBuild</key>
  <string>19E287</string>
  <key>CFBundleDevelopmentRegion</key>
  <string>en</string>
  <key>CFBundleDisplayName</key>
  <string>AppAbc. Tunnel</string>
  <key>CFBundleExecutable</key>
  <string>AppAbc. Tunnel sysex</string>
  <key>CFBundleIdentifier</key>
  <string>com.company.appabc.PacketTunnel-Tunnel</string>
  <key>CFBundleInfoDictionaryVersion</key>
  <string>6.0</string>
  <key>CFBundleName</key>
  <string>AppAbc. Tunnel sysex</string>
  <key>CFBundlePackageType</key>
  <string>SYSX</string>
  <key>CFBundleShortVersionString</key>
  <string>1.2.3</string>
  <key>CFBundleSupportedPlatforms</key>
  <array>
    <string>MacOSX</string>
  </array>
  <key>CFBundleVersion</key>
  <string>123</string>
  <key>DTCompiler</key>
  <string>com.apple.compilers.llvm.clang.1_0</string>
  <key>DTPlatformBuild</key>
  <string>11E146</string>
  <key>DTPlatformVersion</key>
  <string>GM</string>
  <key>DTSDKBuild</key>
  <string>19E258</string>
  <key>DTSDKName</key>
  <string>macosx10.15</string>
  <key>DTXcode</key>
  <string>1140</string>
  <key>DTXcodeBuild</key>
  <string>11E146</string>
  <key>LSMinimumSystemVersion</key>
  <string>10.12</string>
  <key>LSUIElement</key>
  <true/>
  <key>NSHumanReadableCopyright</key>
  <string>Copyright ...</string>
  <key>NSSystemExtensionUsageDescription</key>
  <string>System Extension enables AppAbc app to connect using Tunnel protocol.</string>
  <key>NetworkExtension</key>
  <dict>
    <key>NEMachServiceName</key>
    <string>TEAM_ID.app_group.PacketTunnel-Tunnel</string>
    <key>NEProviderClasses</key>
    <dict>
      <key>com.apple.networkextension.packet-tunnel</key>
      <string>AppAbc__Tunnel_sysex.AATunnelPacketTunnelProvider</string>
    </dict>
  </dict>
  <key>UIDeviceFamily</key>
  <array>
    <integer>1</integer>
    <integer>2</integer>
  </array>
</dict>
</plist>
Answered by adverse camber in 421984022

FWIW I have seen this problem when the SystemExtension executable name is not the same as the bundle identifier.


If that doesn't work, then if you filter the console output on 'sysextd' when you are activating then you may actually see what the problem is, as sysextd log messages are usually quite detailed if there is a problem.

Accepted Answer

FWIW I have seen this problem when the SystemExtension executable name is not the same as the bundle identifier.


If that doesn't work, then if you filter the console output on 'sysextd' when you are activating then you may actually see what the problem is, as sysextd log messages are usually quite detailed if there is a problem.

iCloud

Wow, that is some nice suggestion.

To be precise we actually need to set PRODUCT_NAME = "$(PRODUCT_BUNDLE_IDENTIFIER)" for sysex to be found at activation.


And I've totally missed the uninstall message from sysextd (says nothing usable upon activation though):

Bundle identifier and service path did not match (PacketTunnel-Tunnel != com.company.appabc.PacketTunnel-Tunnel)


One more thing to note that is different from non-sysex Network Extensions.

It appears that System Extensions can embed all of it's dependent libraries.

Contrary to non-sysex NetworkExtensions, sysex can have Frameworks/ folder inside!

But I actually went with adding /Applications/AppAbc.app/Contents/Frameworks to the sysex LD_RUNPATH_SEARCH_PATHS parameter.

But I actually went with adding

/Applications/AppAbc.app/Contents/Frameworks
to the sysex
LD_RUNPATH_SEARCH_PATHS
parameter.

That’s a mistake. The issue is that your sysex runs with privileges and the

/Applications
directory can be modified by an admin user without explicit authorisation. This allows for an unchecked admin-to-root privilege escalation. This isn’t a problem for the code in your framework (unless you disable library validation in your sysex, which would be a Very Bad Idea™) but it you still have to worry about the framework’s resources.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for the clarification. I will embed all of dependent libraries into sysex.


But now I'm facing a problem that neither app nor sysex gets app-group entitlement.

taskgated-helper  ConfigurationProfiles  Unsatisfied entitlements: com.apple.security.application-groups

I have app-groups configured in xcode for both targets, but provisioning profiles doesn't include them even though I have them selected on app ID's.


Probably because of that my sysex can't find keychain items saved by the app.


I'm also getting a bunch of Security errors and NetworkExtension for some reason reports "Signature check failed: invalid signature (code or signature have been modified)"

default 17:34:48.935971+0300 sysextd sysextd Extension point confirmed that extension com.company.appAbc.PacketTunnel-OpenVPN is runnable.
default 17:34:58.929349+0300 AppAbc Security Adding securityd connection to pool, total now 3
default 17:35:06.957159+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature (null)
default 17:35:07.168468+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc
default 17:35:07.192204+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38
default 17:35:07.308162+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature {length = 20, bytes = 0xa032bdd71140be2af6788e2dc77930a115c17b25}
default 17:35:07.329977+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38
default 17:35:07.330511+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc
default 17:35:07.336086+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature {length = 20, bytes = 0x45e64b4ed5b0a1ad6061e3ba5cc05dddd003cd52}
default 17:35:07.382735+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38
default 17:35:07.383265+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc
default 17:35:07.518667+0300 taskgated-helper ConfigurationProfiles allowing entitlement(s) for com.company.appAbc.PacketTunnel-OpenVPN due to provisioning profile (isUPP: 1)
error 17:35:07.526352+0300 taskgated-helper ConfigurationProfiles com.company.appAbc.PacketTunnel-OpenVPN: Unsatisfied entitlements: com.apple.security.application-groups
error 17:35:07.526380+0300 taskgated-helper ConfigurationProfiles Disallowing: com.company.appAbc.PacketTunnel-OpenVPN
default 17:35:08.781878+0300 secinitd secinitd com.company.appAbc.PacketTunnel-OpenVPN[95856]: root path for bundle "" of main executable ""
default 17:35:09.165083+0300 secinitd secinitd com.company.appAbc.PacketTunnel-OpenVPN[95856]: AppSandbox request successful
default 17:35:09.240267+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.251136+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.253611+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.255763+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.259015+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.263010+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.267611+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.270637+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.273530+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.277920+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.283042+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.291778+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.296948+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Adding securityd connection to pool, total now 1
default 17:35:09.296956+0300 com.company.appAbc.PacketTunnel-OpenVPN Security got event: Connection invalid
default 17:35:09.297116+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Failed to talk to secd after 4 attempts.
default 17:35:09.297573+0300 com.company.appAbc.PacketTunnel-OpenVPN Security using system preferences
default 17:35:09.299722+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.303518+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.305860+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.308235+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.310523+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.314336+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.318363+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.320930+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.323378+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.325901+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.328656+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.332580+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.346565+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.352010+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.354244+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.356355+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Failed to talk to secd after 4 attempts.
default 17:35:09.356903+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.360582+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.364850+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.368221+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CMSDecoderCopySignerStatus failed with kCMSSignerInvalidSignature error (3)
default 17:35:09.368253+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -67061
default 17:35:09.369765+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension Signature check failed: invalid signature (code or signature have been modified)
default 17:35:09.533751+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: Calling startTunnelWithOptions with options 0x7fb447a0c640
default 17:35:09.636368+0300 kernel Sandbox Sandbox: 7 duplicate reports for com.company.appA deny(1) file-write-data /private/var/db/mds/system/mds.lock
default 17:35:13.275423+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to (null)
default 17:35:13.298472+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to
  { ... }
default 17:35:13.760461+0300 com.company.appAbc.PacketTunnel-OpenVPN CoreFoundation Attempting to add source to main runloop, but the main thread has exited. This message will only log once. Break on _CFRunLoopError_MainThreadHasExited to debug.
default 17:35:14.230487+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:14.236639+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:14.244544+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:14.249541+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:14.300451+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to (null)
error 17:35:14.315789+0300 com.company.appAbc.PacketTunnel-OpenVPN CocoaLumberjack [Error] [openvpn-adapter.connection] [AAOpenVPNPacketTunnelProvider.swift:304] openVPNAdapter(_:handleError:) > [OVPN] Did recieve fatal error:
  Error Domain=me.ss-abramchuk.openvpn-adapter.error-domain Code=70 "Failed to establish connection with OpenVPN server" UserInfo={NSLocalizedDescription=Failed to establish connection with OpenVPN server, me.ss-abramchuk.openvpn-adapter.error-key.message=ClientState::attach() can only be called once per ClientState instantiation, me.ss-abramchuk.openvpn-adapter.error-key.fatal=true, NSLocalizedFailureReason=Unknown error.}
error 17:35:14.326776+0300 com.company.appAbc.PacketTunnel-OpenVPN CocoaLumberjack [Error] [openvpn-adapter.connection] [AAPacketTunnelProvider.swift:68] cancelTunnelWithError(_:) > Canceling tunnel due to the error:
  Error Domain=me.ss-abramchuk.openvpn-adapter.error-domain Code=70 "Failed to establish connection with OpenVPN server" UserInfo={NSLocalizedDescription=Failed to establish connection with OpenVPN server, me.ss-abramchuk.openvpn-adapter.error-key.message=ClientState::attach() can only be called once per ClientState instantiation, me.ss-abramchuk.openvpn-adapter.error-key.fatal=true, NSLocalizedFailureReason=Unknown error.}
default 17:35:14.351120+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: IPC detached
default 17:35:14.357134+0300 AppAbc NetworkExtension Last disconnect error for AppAbc changed from "none" to "Failed to establish connection with OpenVPN server"

But now I'm facing a problem that neither app nor sysex gets app-group entitlement.

Right. If you start a new thread for that — here in the Core OS > System Extensions topic area — I can explain what’s going on.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Sorry, my bad. I've created a new thread System Extension app-group entitlement issue

Activating System Extension fails with OSSystemExtensionErrorExtensionNotFound
 
 
Q