Convert app NE to system NE

neagent: NEAgentSession: failed to create the delegate
nesessionmanager: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)"

It does look like you are experiencing issues communicating between your container app to your Network System Extension.

As I understand, to do so I need to convert my app NE to a system. Is there any guide to do so?

There is no guide to convert you Network Extension to a Network System Extension for signing/notarizing with Developer ID, but there are resources out there that can help with this:

• Signing a Mac Product For Distribution

• Signing Your Apps for Gatekeeper

• Notarizing macOS Software Before Distribution

• System Extensions

If you have a working Network System Extension already in your macOS app using NETunnelProviderManager, this process should be more about reworking your entitlements for signing/notarizing rather than rebuilding your Network Extension entirely. Are you using NEVPNManager or NETunnelProviderManager for your VPN tunnel?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

I'm using NETunnelProviderManager.
For app NE I was getting paths of both the app and the extension using SecTrustedApplicationCreateFromPath, and storing those inside NETunnelProviderProtocol.passwordReference.kSecAttrAccess. you can check it out here: https://github.com/PhilipDukhov/wireguard-apple/blob/abc9819357bdc89b3f073adff179cc8c3250dd06/WireGuard/Shared/Keychain.swift#L43-L72

I'd changed path to meet the system extension, but as SecTrustedApplicationCreateFromPath is deprecated, maybe there`s an other way?

As I understand, to do so I need to convert my app NE to a system. Is there any guide to do so?

Did you get your original issue solved?

The reason I ask is that this reference:

For app NE I was getting paths of both the app and the extension using SecTrustedApplicationCreateFromPath, and storing those inside NETunnelProviderProtocol.passwordReference.kSecAttrAccess. you can check it out here:

Looks like a completely different issue. As a side note, passwordReference is just what it sounds like: "A persistent keychain reference to a keychain item containing the password component of the tunneling protocol authentication credential."

Something to consider here is that the container app and the Network System Extension run as different users so sharing access to an item in the Keychain can be problematic. For example the Network System Extension accesses the system keychain and the container app does not. What are you trying to do with the Keychain?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

No, it's still the original issue.

I'm customizing a custom vpn protocol(Wireguard) app, and trying to distribute it under Developmer ID. sample config for a connection looks like this:

Code Block 
"""
[Interface]
PrivateKey = KDTZM/UpefTAosZmr75D4efcRrBYmbhSFguBye+692s=
Address = 10.19.49.15/24, fd9d:bc11:4021::f/48
DNS = 172.26.246.127, fd4d:5a50:c7b:ed79:dbf6:bd7b:ca:f67f
[Peer]
PublicKey = wabNFqEBREl8rfHzJiYKqu+PZ54cwYEz0OiJZCZLwX8=
PresharedKey = URrUUCS6Cg6TsgPTZmcYw5pyPpsIxJLnQ9+O9waZliE=
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 66.42.59.203:51820
"""	

Both config and info about extension path are stored inside passwordReference:

Code Block 
NETunnelProviderManager.protocolConfiguration.passwordReference
	= SecAccessCreate([
		kSecAttrAccess: SecAccessCreate(extensionPath, mainPath), 
		kSecValueData: config
		]
	)

(it's not the real code, just the basic structure)

That's how tunnel connection gets created. I had to change this code, as system extension location is different from an app one. Also as system NE min deployment target is 10.15, these warnings appeared and that's why I think it may be a problem.

I'd inspected all articles I've found about this issue and I think I'd updated all the needed entitlements, that's why I'm looking in other directions.

Is there any sample app with a working system NE example? I haven't found one

Is there any sample app with a working system NE example? I haven't found one

For macOS, no there is no sample app NE example.

NETunnelProviderManager.protocolConfiguration.passwordReference
= SecAccessCreate([
kSecAttrAccess: SecAccessCreate(extensionPath, mainPath),
kSecValueData: config
]
)

My recommendation would be to remove the access checks and get this up and running first. Then, add the needed access check for you container app as needed. Remember the container app will be the one prompted for access check to start the VPN. Also remember that the Network System Extension and container app access different keychains.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

I tried to clear passwordReference, it didn't helper.
I also found following method: activationRequestForExtension:queue:. I probably need to use it in order to use system extension? I tried it, and delegate returned an error: Error Domain=OSSystemExtensionErrorDomain Code=9 "Invalid extension configuration in Info.plist and/or entitlements"

I checked entitlements with codesign -d --entitlements :- for both app and ext:

Code Block 
Executable=/Users/dukhovphilip/Library/Developer/Xcode/DerivedData/WireGuard-dxjzqlxikgrrenbizfcyqonlyzgv/Build/Products/Debug/Bubble SecurityCloud.app/Contents/MacOS/Bubble SecurityCloud
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>FVMDZDYX72.com.bubble.bubble-vpn</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider-systemextension</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.developer.team-identifier</key>
	<string>FVMDZDYX72</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>FVMDZDYX72.group.com.bubble.bubble-vpn</string>
	</array>
	<key>com.apple.security.get-task-allow</key>
	<true/>
</dict>
</plist>

Code Block 
Executable=/Users/dukhovphilip/Library/Developer/Xcode/DerivedData/WireGuard-dxjzqlxikgrrenbizfcyqonlyzgv/Build/Products/Debug/Bubble SecurityCloud.app/Contents/Library/SystemExtensions/com.bubble.bubble-vpn.network-extension.systemextension/Contents/MacOS/com.bubble.bubble-vpn.network-extension
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>FVMDZDYX72.com.bubble.bubble-vpn.network-extension</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider-systemextension</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.developer.team-identifier</key>
	<string>FVMDZDYX72</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>FVMDZDYX72.group.com.bubble.bubble-vpn</string>
	</array>
	<key>com.apple.security.get-task-allow</key>
	<true/>
</dict>
</plist>

and info.plists:

Code Block 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ATSApplicationFontsPath</key>
	<string>.</string>
	<key>BuildMachineOSBuild</key>
	<string>20B29</string>
	<key>CFBundleDevelopmentRegion</key>
	<string>en</string>
	<key>CFBundleExecutable</key>
	<string>Bubble SecurityCloud</string>
	<key>CFBundleIconFile</key>
	<string>AppIcon</string>
	<key>CFBundleIconName</key>
	<string>AppIcon</string>
	<key>CFBundleIdentifier</key>
	<string>com.bubble.bubble-vpn</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>Bubble SecurityCloud</string>
	<key>CFBundlePackageType</key>
	<string>APPL</string>
	<key>CFBundleShortVersionString</key>
	<string>1.2.7</string>
	<key>CFBundleSupportedPlatforms</key>
	<array>
		<string>MacOSX</string>
	</array>
	<key>CFBundleVersion</key>
	<string>202010031609</string>
	<key>DTCompiler</key>
	<string>com.apple.compilers.llvm.clang.1_0</string>
	<key>DTPlatformBuild</key>
	<string>12B45b</string>
	<key>DTPlatformName</key>
	<string>macosx</string>
	<key>DTPlatformVersion</key>
	<string>11.0</string>
	<key>DTSDKBuild</key>
	<string>20A2408</string>
	<key>DTSDKName</key>
	<string>macosx11.0</string>
	<key>DTXcode</key>
	<string>1220</string>
	<key>DTXcodeBuild</key>
	<string>12B45b</string>
	<key>ITSAppUsesNonExemptEncryption</key>
	<false/>
	<key>LSApplicationCategoryType</key>
	<string>public.app-category.utilities</string>
	<key>LSMinimumSystemVersion</key>
	<string>10.15</string>
	<key>LSMultipleInstancesProhibited</key>
	<true/>
	<key>LSUIElement</key>
	<true/>
	<key>NSHumanReadableCopyright</key>
	<string>Copyright © 2020 Bubble, Inc. All Rights Reserved.</string>
	<key>NSMainStoryboardFile</key>
	<string>Empty</string>
	<key>NSPrincipalClass</key>
	<string>NSApplication</string>
	<key>NSRequiresAquaSystemAppearance</key>
	<true/>
	<key>SMPrivilegedExecutables</key>
	<dict>
		<key>com.bubble.bubble-vpn.bubble-flexrouter-smjob</key>
		<string>anchor apple generic and identifier "com.bubble.bubble-vpn.bubble-flexrouter-smjob" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = FVMDZDYX72)</string>
	</dict>
</dict>
</plist>

Code Block 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>BuildMachineOSBuild</key>
	<string>20B29</string>
	<key>CFBundleDevelopmentRegion</key>
	<string>en</string>
	<key>CFBundleDisplayName</key>
	<string>WireGuardNetworkExtension</string>
	<key>CFBundleExecutable</key>
	<string>com.bubble.bubble-vpn.network-extension</string>
	<key>CFBundleIdentifier</key>
	<string>com.bubble.bubble-vpn.network-extension</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>com.bubble.bubble-vpn.network-extension</string>
	<key>CFBundlePackageType</key>
	<string>XPC!</string>
	<key>CFBundleShortVersionString</key>
	<string>1.2.7</string>
	<key>CFBundleSupportedPlatforms</key>
	<array>
		<string>MacOSX</string>
	</array>
	<key>CFBundleVersion</key>
	<string>202010031609</string>
	<key>DTCompiler</key>
	<string>com.apple.compilers.llvm.clang.1_0</string>
	<key>DTPlatformBuild</key>
	<string>12B45b</string>
	<key>DTPlatformName</key>
	<string>macosx</string>
	<key>DTPlatformVersion</key>
	<string>11.0</string>
	<key>DTSDKBuild</key>
	<string>20A2408</string>
	<key>DTSDKName</key>
	<string>macosx11.0</string>
	<key>DTXcode</key>
	<string>1220</string>
	<key>DTXcodeBuild</key>
	<string>12B45b</string>
	<key>ITSAppUsesNonExemptEncryption</key>
	<false/>
	<key>LSMinimumSystemVersion</key>
	<string>10.15</string>
	<key>NetworkExtension</key>
	<dict>
		<key>NEMachServiceName</key>
		<string>FVMDZDYX72.com.bubble.bubble-vpn.network-extension</string>
		<key>NEProviderClasses</key>
		<dict>
			<key>com.apple.networkextension.packet-tunnel</key>
			<string>macDevIDNetworkExtension.PacketTunnelProvider</string>
		</dict>
	</dict>
</dict>
</plist>

Those looks valid for me. What have I missed? Is there any other tools that can help me with diagnosing?

I am facing the same problem. @Philip: did you find out the problem?

@Philip_Dukhov I am also facing same issue. Do you have solution on this? Please help us if any solution.