Developer ID PP for app with Netwo… | Apple Developer Forums

Developer Forums

I can't find a way how to create a Developer ID Provisioning profile with Network Extension entitlements. On developer.apple.com I have App ID with "Network Extensions" selected. Then I create a Developer ID provisioning profile for this app.
When I try to export this app in xcode, I always get the same error:

"Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement."

PP entitlement for network extension looks like this:

Code Block <key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>packet-tunnel-provider-systemextension</string>
				<string>app-proxy-provider-systemextension</string>
				<string>content-filter-provider-systemextension</string>
				<string>dns-proxy-systemextension</string>
				<string>dns-settings</string>
		</array>

Any ideas what's wrong?

4k

Posted by

jaroslavqwerty

Reply

Accepted Reply

Does it mean it's impossible to distribute apps with Network Extensions outside Mac AppStore?

It is absolutely possible to distribute Developer ID Network Extension apps outside the Mac App Store. There is just a discrepancy between the Developer ID Provisioning Profile and the Entitlements on your container app, or your Network System Extension. Double check the difference between both of your profiles and the entitlements on the app and extension.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Posted by

meaton

Replies

A few things to try:

1) Try and remove the list of providers to just the one(s) you are using in your app and then run your app with automatic signing to attempt to update the values on your identifier in the Developer Portal. Then switch to manual signing and recreate your Developer ID profiles and edit your entitlement file in your app to match the shorten list of providers on your profile. Try that and see if it improves your situation.

2) If (1) does not work then you need to take a look at what entitlements your archive is being signed with to see what the mismatch is between your profile and your archive before it's exported. For more on that, checkout QA 1798.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Posted by

meaton

Thanks for suggestion. I've switched to automatic signing and when I'm trying to export an app with Developer ID signing, I get an error:

Cannot create a Developer ID provisioning profile for "my app bundle"
The Network Extensions capability is not available for Developer ID provisioning profiles. Disable this feature and try again.

Does it mean it's impossible to distribute apps with Network Extensions outside Mac AppStore?

Posted by

jaroslavqwerty

Found this page, that suggests it should be available: https://help.apple.com/developer-account/#/devadf555df9

Posted by

jaroslavqwerty

Does it mean it's impossible to distribute apps with Network Extensions outside Mac AppStore?

It is absolutely possible to distribute Developer ID Network Extension apps outside the Mac App Store. There is just a discrepancy between the Developer ID Provisioning Profile and the Entitlements on your container app, or your Network System Extension. Double check the difference between both of your profiles and the entitlements on the app and extension.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Posted by

meaton

OK, now that I've looked at it more closely, I've found that generated PPs all have "-systemextension" appended to their values. Whereas apps entitlement doesn't have that. I've went through PP setting on developer.apple.com but can't find a way to get rid of those appendices. What are they for?

Posted by

jaroslavqwerty

@meaton - regarding "It is absolutely possible to distribute Developer ID Network Extension apps outside the Mac App Store" - are you sure it's possible to distribute Network Extension apps with Developer ID outside the Mac App Store? Or did you mean to Network System Extension?
Edit: I'm talking about Packet tunnel providers,
according to
https://developer.apple.com/documentation/networkextension/packet_tunnel_provider:

Packet tunnel providers are supported in iOS and in macOS for Mac App Store apps only.

Posted by

roee84

@roee84, good point. A Network System Extension, which can be a Packet Tunnel Provider, can be distributed via Developer ID outside the macOS App Store or on the macOS App Store. The documentation that you have referenced is outdated, but is a good point to bring up, so thank you for calling that to my attention.

I've found that generated PPs all have "-systemextension" appended to their values. Whereas apps entitlement doesn't have that. I've went through PP setting on developer.apple.com but can't find a way to get rid of those appendices. What are they for?

These values are there to make sure that System Extensions that are signed with Developer ID can be identified easily as opposed to those using just the normal Network Extension capability.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Posted by

meaton

OK, but now the question is how to make XCode project work for signing with both Developer ID and simple development PPs?

If I add "-systemextension" to all network extension capabilities in entitlements file, XCode accepts my Developer ID. But now it complains if I select PP for development (with type: Development), because this one, when downloaded from developer.apple.com has network extension capabilities without "-systemextension".

Posted by

jaroslavqwerty

OK, but now the question is how to make XCode project work for signing with both Developer ID and simple development PPs?

There are many ways to do this and I can just suggest a few that developers commonly use. You will have to decide for yourself what works best for your project and your team.

1) You could use two, or more, different configurations for signing, building and testing. For example, you could setup a Release configuration that builds manually with Developer ID only. Then you could setup a Debug configuration that automatically signs with an Xcode managed profile. The downside here is getting things mixed up or the configurations tangled.

2) You could run both of your Debug and Release configuration with an automatically signed and Xcode managed profile until you needed to release. Then you could pull down a copy of your project and hand setup the Developer ID configurations, build, export, Notarize, etc..

I'm sure there are other options I'm forgetting here as well, but this could be a few options to evaluate.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Posted by

meaton

For future reference:
Working solution is to have two entitlements files, one of them having "-systemextension" added where needed and build settings setup in a way, that will use one file for debug build and other for release.

Posted by

jaroslavqwerty

I did want to update this thread that the distribution information for Packet Tunnel Provider has now been updated.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Posted by

meaton

A similar question is asked here a year ago: https://developer.apple.com/forums/thread/116685
I'm assuming the answer is in the MacOS.entitlement file, add the suffix of -systemextension. Is this correct?

Posted by

joe_he

wasted my entire day fighting with this completely arbitrary and pointless limitation. that “updated” documentation doesn’t make it any clearer either. what if someone wants to support mojave and lower? oh wait we cant because of a credential bug in NE* series of binaries. i know apple engineers dont care about older OSes, but some companies actually do.

Posted by

lechium

this completely arbitrary and pointless limitation

This limitation is neither arbitrary nor pointless. Apple made a specific policy decision to support NE sysex (but not appex) providers in Developer ID apps, and these new entitlement values (the ones with the -systemextension suffix) were created to enforce that policy.

that “updated” documentation doesn’t make it any clearer either

I’m sorry to hear that. If you file a bug against the specific doc that you found unclear, we’ll see if we can address that.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

I'm use the newest XCode，entitlements file provider "Network Extensions" options for me, and it show without "-systemextension". when i try to change it. it compile fail. Is there any other way ?

—
tloong

it compile fail.

How does it fail?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

I'm change the "Network Extensions" from "DNS Proxy" to "dns-proxy-systemextension", then in "Signing & Capabilities" show me "Provisioning profile "Mac Team Provisioning Profile ”***“ doesn't match the entitlements file's value for the com.apple.developer.networking.networkeextension entitlement. it seems that xcode could not recognized the ”dns-proxy-systemextension“.

—
tloong