We are trying to develop a packet tunnel system extension. When we try to start our main application from within Xcode, it crashes immediately with
EXC_CRASH (Code Signature Invalid)
Looking at the Console, it says
Unsatisfied entitlements: com.apple.developer.networking.networkextension
Running
codesign -d --entitlements - ${PATH_TO_OUR_APP}
says
<dict>
<key>com.apple.application-identifier</key>
<string>${OUR_TEAM_ID}.${OUR_APP_ID}</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>${OUR_TEAM_ID}</string>
<key>com.apple.security.application-groups</key>
<array>
<string>${OUR_TEAM_ID}.${OUR_APP_ID}</string>
</array>
<key>com.apple.security.get-task-allow</key>
<true/>
</dict>
Which looks reasonable to us. And running
security cms -D -i ${PATH_TO_OUR_APP}/Contents/embedded.provisionprofile
says
<key>Entitlements</key>
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.application-identifier</key>
<string>${OUR_TEAM_ID}.${OUR_APP_ID}</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
</array>
<key>keychain-access-groups</key>
<array>
<string>${OUR_TEAM_ID}.*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>${OUR_TEAM_ID}</string>
<key>com.apple.developer.aps-environment</key>
<string>development</string>
<key>com.apple.developer.networking.vpn.api</key>
<array>
<string>allow-vpn</string>
</array>
</dict>
As for the system, it is running 10.15.5 (19F101) and
# csrutil status
System Integrity Protection status: disabled.
# systemextensionsctl developer
Developer mode is on
Any ideas what could be wrong?
One thing I noticed is that Xcode offers no way to -systemextension values for com.apple.developer.networking.networkextension, we had to manually edit the entitlements file and now in Xcode the section "Network Extensions" has no checkbox set anymore. Also when looking at the entitlement plist, the values says "packet-tunnel-provider-systemextension" whereas the non-systemextension values are displayed as nice strings but we think that is because Xcode doesn't have any real support for these values yet; albeit system extensions was introduced almost a year ago, so maybe there is something wrong with our project setup?
Anothor thing we noticed is that the embedded provisioning profile doesn't seem to list the -systemextension variants, yet we don't know how to change that. On the developer web site we edited our profil to include "System Extensions" and "Network Extensions" and the ℹ -box says "Developer ID" distribution.
If we remove com.apple.developer.networking.networkextension from the entitlements file, the app starts okay and it can even install our system extension without any problem but when we try to create a connection based on the system extension, this fails as we may not interact with the Network Extension framework without the appropriate entitlement.
Finally, everything works fine if we use packet-tunnel-provider instead of packet-tunnel-provider-systemextension but then we cannot make a Developer ID build as Network Extensions that aren't System Extensions cannot be deployed using Developer ID. In that case it only works when starting a dev build from within Xcode but we get the same issue when trying to start a Developer ID build on another machine. Strange enough notarization did work for that build.
It sounds like you’re mixing up development and release signing. For day-to-day development you should sign with an Apple Development signing identity and use the entitlement without the
-systemextension
suffix. This will require a macOS App Development provisioning profile.
When you go to release you should sign with your Developer ID signing identity and use the entitlement with the
-systemextension
suffix. This will require a Developer ID provisioning profile. That profile will allow-list the entitlements with the
-systemextension
suffix. And you’ll need to notarise, of course.
Oh, and FYI:
we think that is because Xcode doesn't have any real support for these values yet
That’s correct. I’m not sure if we have a bug on file about that already, so feel free to file your own.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"