Issue upgrading System extension from Mojave to BigSur

Question

Created Aug ’20

Replies 4

Boosts 0

Participants 4

Hi.
We have implemented an application with a System extension (With network filters). The application is working properly in BigSur when it is installed: The system extension activation prompt is shown and it is properly loaded once the user approve its usage.
But there is a problem upgrading the application from Mojave to BigSur: the system activation prompt is not shown and this error appears in the console (filtering by 'sysextd'):

default 07:44:28.170909-0300 sysextd staging extension with identifier net.**.systemextension
default 07:44:28.453180-0300 sysextd Making activation decision for extension with teamID teamID("*"), identifier net.**.systemextension
default 07:44:28.453363-0300 sysextd No extension policy -- activation decision is UserOption
default 07:44:28.453438-0300 sysextd validating extension with identifier net..systemextension
default 07:44:28.866906-0300 sysextd MacOS error: 3
default 07:44:29.015223-0300 sysextd Error checking with notarization daemon: 3
error 07:44:29.016455-0300 sysextd bundle code signature is not valid - does not satisfy requirement: -67050 code failed to satisfy specified code requirement(s)
default 07:44:29.017158-0300 sysextd extension failed to validate! uninstalling...
default 07:44:29.017237-0300 sysextd uninstalling invalid extension net.**.systemextension

These errors are shown when the application is not notarized. But this is not the case: the application is notarized and the dmg was successfully stapled.

After getting these error if the application is installed again in BigSur the system extension activation prompt is shown.

Is this an expected behavior for applications upgraded from Mojave? Is this a known issue?

I tried this with macOS Big Sur 11 beta 5 (20A5354i). But the same error happens with previous beta versions.

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’20

Is this an expected behavior for applications upgraded from Mojave?

Mojave?!? System extension support was added in 10.15, that is, Catalina, so I’m going to presume that this was just a typo.

[Personally I always use system version numbers because it avoids this sort of confusion.]

As to your actual issue, I don’t think it matters whether this is expected or not, it’s still seriously suboptimal and I encourage you to file a bug about it. Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

paszyrko OP

Aug ’20

Thanks eskimo for the quick answer. Yes. System extension support was added in 10.15. So the System Extension activation flow should work in Catalina and BigSur after upgrading the OS from Mojave (version 10.14.6): The application with the system extension was installed in Mojave but after upgrading the OS to BigSur the System Extension is not launched:

default 07:44:28.866906-0300 sysextd MacOS error: 3
default 07:44:29.015223-0300 sysextd Error checking with notarization daemon: 3

Also the same issue happens upgrading from Mojave to Catalina.
The only way we found to be able to launch de system Extension was installing it again on Catalina or BigSur

0

Answer 3

DTS Engineer OP

Apple

Aug ’20

Can you clarify what you mean by “is not launched”? Are you manually running the container app? If so, does it call the SystemExtensions framework to start the sysex? Does that fail? If so, with what error?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

Etresoft OP

Aug ’20

Are you saying that it fails on a machine that has been upgraded from 10.14 (Mojave)? But it works properly on 11.0 Big Sur? Or it doesn't work in Big Sur?

Regardless, the problem here is that your app is certainly NOT Notarized. Some developers feel that they have properly notarized an app when they run the notarization commands, staple the ticket, and don't get any errors. That's not enough. You also have to run the final product through Gatekeeper to ensure that it accepts it. You do this by uploading it to a website and then downloading it with Safari. If the program fails to launch, or fails to run properly, then it is not properly notarized.

It sounds like you were testing it on your build machine. In this case, since you did not download the app, the quarantine flag was never set so Gatekeeper was never triggered.

Just the fact that you mentioned the word "ticket" means that you are probably not using Xcode to build your app. You are doing "something else". What that is, I can't say. I can tell you that your problem will most likely go away if you build your app in Xcode and Notarize from there. Xcode is designed to do these kinds of things for you. If you can't use Xcode for some reason, then you are going to have to do a lot of research into exactly how Xcode would build such a project and how you are doing it differently.

Eskimo has posted a number of how-to documents here in the forums about how to resolve common Notarization problems for people doing all of this by hand. Unfortunately, with the new design of the forums, those are really hard to find. You might want to try a site-specific Google search for "eskimo" and "notarization".

0