Problem with Network Extension & System Extension

App & System Services Core OS
mikeKane OP
Created Aug ’20
Replies 6
Boosts 0
Views 2.5k
Participants 3
I have a Mac VPN app which I'd like to distribute in the Mac Store and on my website.

I need to Sign my app with a Developer ID in order to get it notarized so was following along this thread
https://developer.apple.com/forums/thread/125508?page=1

I performed all of the changes suggested by Quinn, notarized the app , stapled it and installed from a .dmg.

Upon launching I get the VPN permission with a profile successfully installed but neagent still won't launch bc its signed with a developer id. 

Code Block 
error	16:49:08.750262-0400	NEVPNTunnelPlugin([476]): Validation of the extension failed	nesessionmanagerdefault	16:49:08.750966-0400	NESMVPNSession[Primary Tunnel::7BB4FF26-2EAD-47AF-85F7-880749561AD0:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin([476]) started with PID 0 error (null)	nesessionmanagererror	16:49:08.750013-0400	Rejecting app extension provider PacketTunnel because it is signed with a Developer ID certificate	neagent


I checked the embedded profile 
Code Block 
security cms -D -i  /Applications/MYAPP.app/Contents/embedded.provisionprofile

Code Block 
<key>Entitlements</key>	<dict>								<key>com.apple.developer.system-extension.install</key>		<true/>								<key>com.apple.developer.networking.networkextension</key>		<array>				<string>packet-tunnel-provider-systemextension</string>				<string>app-proxy-provider-systemextension</string>				<string>content-filter-provider-systemextension</string>				<string>dns-proxy-systemextension</string>				<string>dns-settings</string>		</array>								<key>com.apple.application-identifier</key>		<string>BUNDLEID</string>								<key>keychain-access-groups</key>		<array>				<string>TEAM.*</string>		</array>								<key>com.apple.developer.team-identifier</key>		<string>TEAM</string>								<key>com.apple.developer.associated-domains</key>		<string>*</string>	</dict>


Code Block 
default	09:50:39.422703-0400	Signature is valid and has the correct designated requirement	neagent
default	09:50:39.422930-0400	Provider is signed with a Developer ID certificate	neagent
error	09:50:39.422957-0400	Rejecting app extension provider com.appid.PacketTunnel because it is signed with a Developer ID certificate	neagent
default	09:50:39.423849-0400	[u 1B062A81-6FE9-44B0-851E-BCF4FE7FAD8A:m (null)] [<private>(<private>)] terminating	neagent


I'm running macOS 15.6

Here's output from the notarization 
Code Block 
	"logFormatVersion": 1,
	"jobId": "ac025b03-d4ff-4a10-97f5-85b43e6b4f3f",
	"status": "Accepted",
	"statusSummary": "Ready for distribution",
	"statusCode": 0,
	"archiveFilename": "MyApp.dmg",
	"uploadDate": "2020-08-07T14:03:00Z",
	"sha256": "92349106a42dece6ae4298677aeaaf17aa02b1a431acf5594ab1fc700916a6bb",
	"ticketContents":[
],
	"issues": null


^^ I stripped the ticketContents
Replies  6
Boosts  0
Views  2.5k
Participants  3
mikeKane OP
Aug ’20
Running 
Code Block 
$ spctl -a -t exec -v MyApp.app
MyApp.app: accepted
source=Notarized Developer ID

Also tried running with SIP disabled and it wouldn't launch at all. "No suitable image found" which is very weird. It opens with SIP enabled just not the extension
0
DTS Engineer OP
Apple
Aug ’20
You should check:

  • The entitlements in the code signature of the app.

  • The entitlement allowlist in the provisioning profile of the app.

  • Both of the previous points for the extension embedded within the app.

  • The contents of the notarisation ticket.

You already know how to dump a profile. To dump the entitlements of an app or extension, use:

Code Block  
% codesign -d --entitlements :- /path/to/your/bundle


IMPORTANT In the independent distribution case, the values in the com.apple.developer.networking.networkextension array must have the -systemextension suffix.

To check your ticket, use the following:

Code Block  
% codesign -d /path/to/your/bundle


to dump the cdhash values for your app and extension and then make sure each is present in the ticketContents array.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
mikeKane OP
Aug ’20
Hey Quinn, thanks for the reply!



You already know how to dump a profile. To dump the entitlements of an app or extension, use:


Code Block 
codesign -d --entitlements :- /path/to/your/bundle


Here is the output.

Code Block <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>com.appid</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider-systemextension</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAMID</string>
	<key>com.apple.security.app-sandbox</key>
	<true/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>group.com.appid</string>
	</array>
	<key>com.apple.security.files.user-selected.read-write</key>
	<true/>
	<key>com.apple.security.network.client</key>
	<true/>
	<key>com.apple.security.network.server</key>
	<true/>
	<key>keychain-access-groups</key>
	<array>
		<string>TEAMID.com.apple.managed.vpn.shared</string>
	</array>
</dict>
</plist>



Code Block default	12:25:15.617952-0400	Signature is valid and has the correct designated requirement	neagent
default	12:25:15.618196-0400	Provider is signed with a Developer ID certificate	neagent
error	12:25:15.618223-0400	Rejecting app extension provider com.appid.PacketTunnel because it is signed with a Developer ID certificate	neagent

Everything seems right. Am I missing anything?
0
DTS Engineer OP
Apple
Aug ’20
You need to do this for both our app and the sysex embedded within your app.

Also, based on the info you posted there seems to be a bunch of discrepancies:

  • You’ve redacted com.apple.application-identifier but in a way that doesn’t make it obvious that it’s formatted correctly (it should be App ID prefix dot bundle ID, where the App ID prefix is usually, but not always, your Team ID).

  • Your profile doesn’t seem to include com.apple.developer.system-extension.install.

  • Your keychain-access-groups entitlement claims TEAMID.com.apple.managed.vpn.shared, which doesn’t make any sense. Either you want to access the com.apple.managed.vpn.shared keychain access group, in which case you should apply for the necessary entitlement (1), or you don’t, in which case using that suffix is just confusing.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

(1) See FAQ#9 of Network Extension Framework Entitlements.
0
mikeKane OP
Aug ’20
Hey Quinn,

I managed to get the system extension launching correctly.

My main problem now is the extension is not able to reach the internet. I see errors like this when attempting an outgoing connection. 

Code Block default	14:15:26.113698-0400	MacOS error: -25337 com..Sample.SampleExtension
default	14:15:26.116883-0400	CSSM Exception: 3 unknown error 3=3	 com.Sample.SampleExtension
default	14:15:26.120630-0400	CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR	 com.Sample.SampleExtension
default	14:15:26.124533-0400	CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR	 com.Sample.SampleExtension


Last

com.apple.managed.vpn.shared keychain access group

That is not needed if I dont need to read creds from the profile, correct?

BTW I created a second sample app just to be sure and it's hitting that as well. I can send you the sample app. I sent an email over to you today.

I have SIP disabled and also have systemextensionsctl developer on

0
mahmed OP
Nov ’20
Hi @mikeKane,

How did you manage to fix validation failed issue? what was causing it.

0
Problem with Network Extension &amp; System Extension
First post date Last post date
 
 
Q