SimpleFirewall Content Filter is not working if SIP is enabled & code sign with provisional profile

Question

Created Oct ’20

Replies 5

Boosts 0

Views 1.3k

Participants 2

HI,
I have Simple Firewall Content filter example which available in online.

This is working fine in both SIP enabled & disabled case If I have tried with Apple Developer.
Also It is working if SIP is disabled & we do code sign by attaching provisional profile.

But Also It is not working if SIP is enabled and code sign by attaching provisional profile. Is this problem with certificate or entitlement? What may be the problem? Please help.

I am getting below errors

Code Block default	15:42:19.757925+0530	sysextd	request contains no authorizationref
default	15:42:19.758070+0530	sysextd	shouldMoveAppToTrash: file:///Applications/SimpleFirewall.app/ (requestor: /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder)
default	15:42:19.758588+0530	sysextd	Realizing target path: file:///Applications/SimpleFirewall.app/Contents/Library/SystemExtensions/com.sample.simplefirewall.systemextension/
default	15:42:19.758832+0530	sysextd	Bundle class: UncachedBundle
default	15:42:19.769768+0530	sysextd	shouldMoveAppToTrash: no extensions found, allowing delete
default	15:42:56.485811+0530	sysextd	attempting to realize extension with identifier com.sample.simplefirewall
default	15:42:56.497551+0530	sysextd	Realizing target path: file:///Applications/SimpleFirewall.app/Contents/Library/SystemExtensions/com.sample.simplefirewall.systemextension/
default	15:42:56.497812+0530	sysextd	Bundle class: UncachedBundle
default	15:42:56.517482+0530	sysextd	staging extension with identifier com.sample.simplefirewall
default	15:42:56.540700+0530	sysextd	Making activation decision for extension with teamID teamID("BGLHCMSU7"), identifier com.sample.simplefirewall
default	15:42:56.540740+0530	sysextd	No extension policy -- activation decision is UserOption
default	15:42:56.540766+0530	sysextd	validating extension with identifier com.sample.simplefirewall
default	15:42:56.554285+0530	sysextd	MacOS error: 3
default	15:42:56.557821+0530	sysextd	Error checking with notarization daemon: 3
error	15:42:56.559103+0530	sysextd	bundle code signature is not valid - does not satisfy requirement: -67050 code failed to satisfy specified code requirement(s)
default	15:42:56.559453+0530	sysextd	extension failed to validate! uninstalling...
default	15:42:56.559500+0530	sysextd	uninstalling invalid extension com.sample.simplefirewall
default	15:42:56.565893+0530	sysextd	finished uninstalling extension com.sample.simplefirewall

Following is my 'SimpleFDirewall' app entitlement

Code Block <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.application-identifier</key>
    <string>BGLHCMSU7.com.sample.simplefirewall</string>
    <key>com.apple.developer.team-identifier</key>
    <string>BGLHCMSU7</string>
    <key>com.apple.developer.system-extension.install</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>BGLHCMSU7.com.sample.simplefirewall</string>
    </array>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>content-filter-provider-systemextension</string>
    </array>
</dict>
</plist>

Following is my 'SimpleFirewallExtension' entitlement:

Code Block <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.application-identifier</key>
    <string>BGLHCMSU7.com.sample.simplefirewall</string>
    <key>com.apple.developer.team-identifier</key>
    <string>BGLHCMSU7</string>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>BGLHCMSU7.com.sample.simplefirewall</string>
    </array>
    <key>com.apple.developer.networking.networkextension</key>
    <array>
        <string>content-filter-provider-systemextension</string>
    </array>
</dict>
</plist>

Boost

Answer 1

Systems Engineer OP

Apple

Oct ’20

One thing I would examine, irregardless if this is your problem, is the bundle identifier scheme being used in your container app and network system extension.

For example, notice that Simple Firewall has this bundle id on the container:

com.example.apple-samplecode.SimpleFirewall

And this bundle id on the system extension:

com.example.apple-samplecode.SimpleFirewall.SimpleFirewallExtension

Now notice how your identifiers appear to be:

Code Block <key>com.apple.application-identifier</key>
<string>BGLHCMSU7.com.sample.simplefirewall</string>

This may be due to the contianer app's identifier being put on both, but it does worry me when the log says:

Code Block textdefault	15:42:56.517482+0530	sysextd	staging extension with identifier com.sample.simplefirewall

If this all is good, it looks like you have a policy issue somewhere with your extension.

Code Block textdefault	15:42:56.540740+0530	sysextd	No extension policy -- activation decision is UserOption
default	15:42:56.540766+0530	sysextd	validating extension with identifier com.sample.simplefirewall
default	15:42:56.554285+0530	sysextd	MacOS error: 3
default	15:42:56.557821+0530	sysextd	Error checking with notarization daemon: 3
error	15:42:56.559103+0530	sysextd	bundle code signature is not valid - does not satisfy requirement: -67050 code failed to satisfy specified code requirement(s)

From here I would make sure the entitlements from the signed binary match the entitlements from the provisioning profile. After that, run the signed binary on a fresh VM with SIP enabled to see if you come up with anything different here.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

nagendrar OP

Oct ’20

Thanks for your response.

This may be due to the container app's identifier being put on both, but it does worry me when the log says:

You mean, the policy issue is due to having same bundle identifier for both container & extension?

From here I would make sure the entitlements from the signed binary match the entitlements from the provisioning profile.

So, No issues with entitlements & provisioning profile. correct?

After that, run the signed binary on a fresh VM with SIP enabled to see if you come up with anything different here.

I have tried on fresh VM with same bundle ids for both container & extension by enabling SIP and result is same as previous.

One more thing, we should have two different provisional profiles for both container & extensions as Bundle Ids are different. Correct?

Thanks.

0

Answer 3

Systems Engineer OP

Apple

Oct ’20

You mean, the policy issue is due to having same bundle identifier for both container & extension?

What is the bundle id for your extension and the bundle id for you container app?

So, No issues with entitlements & provisioning profile. correct?

Not sure, I have not seen your provisioning profile.

One more thing, we should have two different provisional profiles for both container & extensions as Bundle Ids are different. Correct?

Yes.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 4

nagendrar OP

Oct ’20

I have tried with two different bundle identifiers for container and extension. But still I am facing with same issue.
My Container bundler Id: com.sample.simplefirewall
My Extension bundle id: com.sample.simplefirewall.networkextension

I have notices couple of messages in console. Please clarify them.

When I copy app to /Applications and run for first time, I have noticed below msg. Is there any relation with code sign with this? Even I have tried by removing from entitlement. But still facing with code signing issue. My group value is BGLHCMSU7.com.sample.simplefirewall
com.digitalguardian.dgnetopsfilter: Unsatisfied entitlements: com.sample.simplefirewall

My NEMachServiceName value is BGLHCMSU7.com.sample.simplefirewall.networkextension. Is there any relation between code signing issue and this value?

I have noticed Error checking with notarization daemon: 3 error in console. Is notarization mandatory to run app?

I able to run app by disabling SIP(with developer id/proviosnal cert) but failed to run with SIP enabled & by attaching provisional certificate only. This is blocker for me. Please provide inputs ASAP.

0

Answer 5

Systems Engineer OP

Apple

Oct ’20

Is notarization mandatory to run app?

Notarization is required for Developer ID distribution.

I able to run app by disabling SIP(with developer id/proviosnal cert) but failed to run with SIP enabled & by attaching provisional certificate only.

1) Enable SIP.

2) Enable your sandbox on both your container app and network extension.

3) Ensure your container app's bundle ID is set to: "com.sample.simplefirewall" and your extension's bundle id is set to "com.sample.simplefirewall.networkextension."

4) In your container app make sure the entitlement's at least contain:

Code Block xml<key>com.apple.developer.networking.networkextension</key>
<array>
	<string>content-filter-provider-systemextension</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>

5) Make sure your network extension's NEMachServiceName is set to: $(TeamIdentifierPrefix)com.sample.simplefirewall.networkextension. (Although I'm not sure this is affecting you)

6) Creat your Developer ID profiles for both your extension and container.

7) Build, sign, and notarize your app. Also see Quinn's post for Signing a Mac Product For Distribution.

8) Validate your notarized app:

Code Block text# determine if the app to be notarized will run with the system policies currently in effect:
% spctl -vvv --assess --type exec /path/to/myapp
# Test code signature
% codesign -vvvd myapp.app
# Is there a ticket stapled to the app?
% xcrun stapler validate myapp.app
# Test if myapp satisfies its Designated Requirements for Notarization.
% codesign --test-requirement="=notarized" --verify --verbose myapp.app

9) Run your app.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0