Hello,
We actually managed to get all of the code signing and entitlements with our Developer ID all aligned properly such that our NE system extension is installed, activated, and our packet tunnel provider is started and code is executed in the extension. So far so good!
However, the outstanding problem that is tripping us up at the finish line is that we just can’t seem get the NE provider to read from a shared keychain. The main app is able to write a password type key to the keychain no problem (we can see it in the macOS Keychain app), but our extension reports a -25291 or -25300 depending upon what we are trying when trying to read in the value. The exact same keychain read/write implementation works fine in dev builds without using System Extensions, so I’m pretty sure there must be some specific configuration I am missing when it comes to keychain sharing with System Extensions.
We've tried with App Sandbox on and off, and there is no difference.
According to this doc a shared Keychain Access Group Entitlement configured in the main app and NE System Extension should be all that is required. This is what we are doing and I believe is why everything is working fine in builds without the system extension.
We’ve tried all of the combinations of things I can think of, specifically mixing and matching various app group and keychain group identifiers, unfortunately all with the same result.
I beleive we are possibly in bug territory, but given how precise Keychain configuration needs to be, I wanted to check with the community to see if anyone had run into this same issue and found a solution before I file a bug.
Thanks!
The problem here is that your app and your sysex run as two different users (the currently logged in use and root, respectively). Keychain access groups allow you to share items between two programs running as the same user, not across users.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"