singing vpn app with Developer ID

I need to distribute macOS app for beta testing using Developer ID signing.
I followed the guide from this post: https://developer.apple.com/forums/thread/125508?answerId=402187022#402187022. You can check out my progress in this repo: https://github.com/PhilipDukhov/wireguard-apple
Step 1. First of all I converted network extension to system one
I had to use the following code to determine path of the extension: 
Code Block
let extensionPath = Bundle.main.bundleURL
  .appendingPathComponent("Contents")
  .appendingPathComponent("Library")
  .appendingPathComponent("SystemExtensions")
  .appendingPathComponent("WireGuardNetworkExtension.systemextension")
  .path

In order to create a tunnel I use SecAccessCreate with the results of both app and extension SecTrustedApplicationCreateFromPath. There’s no constant for "SystemExtensions" folder, also SecTrustedApplicationCreateFromPath is deprecated, does it mean there’s a new way to do so?
Yet it works on this step, which you can check out on commit 07df864a8d27948b3aa0c33cf4276835e58eeeee
Step 2. Then I created all needed provision profiles, changed signing settings and updated both .entitlements with packet-tunnel-provider-systemextension. The project builds and runs, and tunnel gets successfully created, but when I try to connect and run the extension, it fails. Console has following errors:
Code Block
-[NWPrivilegedHelper startXPCListener]_block_invoke client pid 123 does not have any known entitlement
NEVPNTunnelPlugin(com.bubble.bubble-vpn[6191]): Validation of the extension failed
WireGuardNetworkExtension: SIOCGIFMTU failed: Device not configured

I tried both disabling SIP and notarizing the app. The result code is on this commit: 357059234935ab1442bb6be0324809920355bfc9
Tunnel created in Step 1 works on step 2, so create a new one to test it out. If you need a test config file let me know: philip.dukhov@gmail.com.

In order to create a tunnel I use SecAccessCreate with the results of both app and extension SecTrustedApplicationCreateFromPath. There’s no constant for SystemExtensions folder, also SecTrustedApplicationCreateFromPath is deprecated, does it mean there’s a new way to do so?

I’ve lost you here. How does SecAccessCreate come into this?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

I’ve lost you here. How does SecAccessCreate come into this?

Is I understand, it's used to create a shared keychain ACL object to store inside passwordReference so it can be shared between main app and the extension: https://github.com/PhilipDukhov/wireguard-apple/blob/master/WireGuard/Shared/Keychain.swift#L43
Without these lines it asks password two times to create a tunnel. And still not working with dev id (step 2)
If we skip first problem, and move to the step 2, any ideas how to solve this one?

If we skip first problem, and move to the step 2, any ideas how to
solve this one?

I’m not sure how you’re numbering your problems. Are you asking about the problem loading the sysex?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
I mean this one:
I created all needed provision profiles, changed signing settings and updated both .entitlements with packet-tunnel-provider-systemextension. The project builds and runs, and tunnel gets successfully created, but when I try to connect and run the extension, it fails. Console has following errors:
Code Block
-[NWPrivilegedHelper startXPCListener]_block_invokeclientpid 123 doesnothaveanyknownentitlementNEVPNTunnelPlugin(com.bubble.bubble-vpn[6191]): ValidationoftheextensionfailedWireGuardNetworkExtension: SIOCGIFMTU failed: Device not configured

I tried both disabling SIP and notarizing the app. The result code is on this commit: 357059234935ab1442bb6be0324809920355bfc9
Tunnel created in Step 1 works on step 2, so create a new one to test it out. If you need a test config file let me know: philip.dukhov@gmail.com.
singing vpn app with Developer ID
 
 
Q