Problem with Network Extension & System Extension

Question

I have a Mac VPN app which I'd like to distribute in the Mac Store and on my website.

I need to Sign my app with a Developer ID in order to get it notarized so was following along this thread
https://developer.apple.com/forums/thread/125508?page=1

I performed all of the changes suggested by Quinn, notarized the app , stapled it and installed from a .dmg.

Upon launching I get the VPN permission with a profile successfully installed but neagent still won't launch bc its signed with a developer id.

Code Block error	16:49:08.750262-0400	NEVPNTunnelPlugin([476]): Validation of the extension failed	nesessionmanagerdefault	16:49:08.750966-0400	NESMVPNSession[Primary Tunnel::7BB4FF26-2EAD-47AF-85F7-880749561AD0:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin([476]) started with PID 0 error (null)	nesessionmanagererror	16:49:08.750013-0400	Rejecting app extension provider PacketTunnel because it is signed with a Developer ID certificate	neagent

I checked the embedded profile

Code Block security cms -D -i  /Applications/MYAPP.app/Contents/embedded.provisionprofile

Code Block <key>Entitlements</key>	<dict>								<key>com.apple.developer.system-extension.install</key>		<true/>								<key>com.apple.developer.networking.networkextension</key>		<array>				<string>packet-tunnel-provider-systemextension</string>				<string>app-proxy-provider-systemextension</string>				<string>content-filter-provider-systemextension</string>				<string>dns-proxy-systemextension</string>				<string>dns-settings</string>		</array>								<key>com.apple.application-identifier</key>		<string>BUNDLEID</string>								<key>keychain-access-groups</key>		<array>				<string>TEAM.*</string>		</array>								<key>com.apple.developer.team-identifier</key>		<string>TEAM</string>								<key>com.apple.developer.associated-domains</key>		<string>*</string>	</dict>

Code Block default	09:50:39.422703-0400	Signature is valid and has the correct designated requirement	neagent
default	09:50:39.422930-0400	Provider is signed with a Developer ID certificate	neagent
error	09:50:39.422957-0400	Rejecting app extension provider com.appid.PacketTunnel because it is signed with a Developer ID certificate	neagent
default	09:50:39.423849-0400	[u 1B062A81-6FE9-44B0-851E-BCF4FE7FAD8A:m (null)] [<private>(<private>)] terminating	neagent

I'm running macOS 15.6

Here's output from the notarization

Code Block 	"logFormatVersion": 1,
	"jobId": "ac025b03-d4ff-4a10-97f5-85b43e6b4f3f",
	"status": "Accepted",
	"statusSummary": "Ready for distribution",
	"statusCode": 0,
	"archiveFilename": "MyApp.dmg",
	"uploadDate": "2020-08-07T14:03:00Z",
	"sha256": "92349106a42dece6ae4298677aeaaf17aa02b1a431acf5594ab1fc700916a6bb",
	"ticketContents":[
],
	"issues": null

^^ I stripped the ticketContents

2k

Posted by

mikeKane

Reply

Add a Comment

Answer 1

Running

Code Block $ spctl -a -t exec -v MyApp.app
MyApp.app: accepted
source=Notarized Developer ID

Also tried running with SIP disabled and it wouldn't launch at all. "No suitable image found" which is very weird. It opens with SIP enabled just not the extension

Posted by

mikeKane

Add a Comment

Answer 2

You should check:

The entitlements in the code signature of the app.
The entitlement allowlist in the provisioning profile of the app.
Both of the previous points for the extension embedded within the app.
The contents of the notarisation ticket.

You already know how to dump a profile. To dump the entitlements of an app or extension, use:

Code Block  % codesign -d --entitlements :- /path/to/your/bundle

IMPORTANT In the independent distribution case, the values in the com.apple.developer.networking.networkextension array must have the -systemextension suffix.

To check your ticket, use the following:

Code Block  % codesign -d /path/to/your/bundle

to dump the cdhash values for your app and extension and then make sure each is present in the ticketContents array.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Answer 3

Hey Quinn, thanks for the reply!

You already know how to dump a profile. To dump the entitlements of an app or extension, use:

Code Block codesign -d --entitlements :- /path/to/your/bundle

Here is the output.

Code Block <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>com.appid</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider-systemextension</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAMID</string>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.appid</string>
	</array>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
	<key>keychain-access-groups</key>
	<array>
		<string>TEAMID.com.apple.managed.vpn.shared</string>
	</array>
</dict>
</plist>

Code Block default	12:25:15.617952-0400	Signature is valid and has the correct designated requirement	neagentdefault	12:25:15.618196-0400	Provider is signed with a Developer ID certificate	neagent
error	12:25:15.618223-0400	Rejecting app extension provider com.appid.PacketTunnel because it is signed with a Developer ID certificate	neagent

Everything seems right. Am I missing anything?

Posted by

mikeKane

Add a Comment

Answer 4

You need to do this for both our app and the sysex embedded within your app.

Also, based on the info you posted there seems to be a bunch of discrepancies:

You’ve redacted com.apple.application-identifier but in a way that doesn’t make it obvious that it’s formatted correctly (it should be App ID prefix dot bundle ID, where the App ID prefix is usually, but not always, your Team ID).
Your profile doesn’t seem to include com.apple.developer.system-extension.install.
Your keychain-access-groups entitlement claims TEAMID.com.apple.managed.vpn.shared, which doesn’t make any sense. Either you want to access the com.apple.managed.vpn.shared keychain access group, in which case you should apply for the necessary entitlement (1), or you don’t, in which case using that suffix is just confusing.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

(1) See FAQ#9 of Network Extension Framework Entitlements.

Posted by

eskimo

Add a Comment

Answer 5

Hey Quinn,

I managed to get the system extension launching correctly.

My main problem now is the extension is not able to reach the internet. I see errors like this when attempting an outgoing connection.

Code Block default	14:15:26.113698-0400	MacOS error: -25337 com..Sample.SampleExtensiondefault	14:15:26.116883-0400	CSSM Exception: 3 unknown error 3=3	 com.Sample.SampleExtension
default	14:15:26.120630-0400	CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR	 com.Sample.SampleExtension
default	14:15:26.124533-0400	CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR	 com.Sample.SampleExtension

Last

com.apple.managed.vpn.shared keychain access group

That is not needed if I dont need to read creds from the profile, correct?

BTW I created a second sample app just to be sure and it's hitting that as well. I can send you the sample app. I sent an email over to you today.

I have SIP disabled and also have systemextensionsctl developer on

Posted by

mikeKane

Add a Comment

Answer 6

Hi @mikeKane,

How did you manage to fix validation failed issue? what was causing it.

Posted by

mahmed

Add a Comment

Problem with Network Extension & System Extension

Replies