System Extension packet-tunnel NE not starting

Hi,
I am converting a working packet-tunnel Network Extension to distribute using Developer ID (system-extension). And I see that system-extension is getting registered but exiting. Please help. Thanks
NOTE:
  1. SIP is disabled

  2. Static Tunnel configuration.

  3. I have gone through lot of similar questions on the forums but not able to figure out what is happening.

  4. Removed NEMachService from the Info.plist since it was forcing me to add "application-group" and this was not part of the provisioning profile.


The following 2 messages in the logs seem suspicious
(NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s)

***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: IPC detached

NE Entitlements:


Code Block
<dict>
<key>com.apple.application-identifier</key>
<string>TEAM_ID.***.YYY.network-extension</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>TEAM_ID</string>
<key>keychain-access-groups</key>
<array>
<string>TEAM_ID.*</string>
</array>
</dict>


NE Provision profile:


Code Block
<key>Entitlements</key>
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
<string>dns-settings</string>
</array>
<key>com.apple.application-identifier</key>
<string>TEAM_ID.***.YYY.network-extension</string>
<key>keychain-access-groups</key>
<array>
<string>TEAM_ID.*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>TEAM_ID</string>
</dict>


Logs:

Please see next post. Thanks

Logs:


Code Block
16432 0 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Checking profile: YYYNENov6_10
16432 0 taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] allowing entitlement(s) for ***.YYY.network-extension due to provisioning profile (isUPP: 1)
1057 0 nesessionmanager: (Security) SecTrustEvaluateIfNecessary
1057 0 nesessionmanager: (NetworkExtension) [com.apple.networkextension:] Signature is valid and has the correct designated requirement
16463 0 ***.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 43353 of [378230ae7f]
16463 0 ***.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory
16463 0 ***.YYY.network-extension: (Security) SecTrustEvaluateIfNecessary
16463 0 ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s)
16463 0 ***.YYY.network-extension: (libnetwork.dylib) [com.apple.network:] nw_path_evaluator_start [33B7A514-5833-43B2-A4AE-1329F4B52D43 <NULL> generic, indefinite]
0 0 kernel: utun_ctl_connect: creating interface utun2 (id utunid2)
0 0 kernel: ifnet_attach: Waiting for all kernel threads created for interface utun2 to get scheduled at least once.
0 0 kernel: ifnet_attach: All kernel threads created for interface utun2 have been scheduled at least once. Proceeding.
244 0 mDNSResponder: [com.apple.mDNSResponder:Default] <private>
113 0 configd: (libnetwork.dylib) [com.apple.network:] network_config_check_interface_settings Checking interface settings
0 0 kernel: utun2: is now delegating en0 (type 0x6, family 2, sub-family 3)
252 0 nehelper: (Network) [com.apple.network:] -[NWPrivilegedHelper startXPCListener]_block_invoke client pid 113 does not have any known entitlement
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Plugin NEVPNTunnelPlugin(***.YYY[16463]) initialized with Mach-O UUIDs (
113 0 configd: (libnetwork.dylib) [com.apple.network:] networkd_privileged_check_interface_settings_block_invoke received XPC_ERROR_CONNECTION_INVALID
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(***.YYY[16463]) started with PID 16463 error (null)
16463 0 ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: Calling startTunnelWithOptions with options 0x7f85e9d0d3e0
16463 0 ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: IPC detached
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(***.YYY[16463]) did detach from IPC
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(***.YYY[16463]) disconnected with reason Plugin initiated
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Leaving state NESMVPNSessionStateStarting
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
1057 0 nesessionmanager: [com.apple.networkextension:] <NESMServer: 0x7f979e504160>: Request to uninstall session: NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: status changed to disconnecting
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Leaving state NESMVPNSessionStateStopping
1057 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Entering state NESMVPNSessionStateDisposing, timeout 5 seconds
0 0 kernel: ifnet_detach_final: Waiting for IO references on utun2 interface to be released
16463 0 ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] SIOCGIFMTU failed: Device not configured
16463 0 ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] NEVirtualInterfaceAdjustReadBufferSize: interface_get_mtu failed (6), defaulting to max mtu
16463 0 ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: Session manager connection was invalidated
16463 0 ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: Deallocating

So the good news is that your project is getting off the ground. The reason why I mention this is because usually major entitlement issues when signed with Developer ID can cause an actual crash in your program when started. That does not seem to be the case here, but rather you have configuration issues.

First, before you do anything, enable SIP. This will allow you to build in an environment that is equivalent to what your users see. This is will also bring to the surface any Security/Code Signing issues that you are suppressing by disabling SIP.

16463 0 *.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 43353 of [378230ae7f]
16463 0
*.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory
16463 0 *.YYY.network-extension: (Security) SecTrustEvaluateIfNecessary
16463 0
*.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s)

Do you have a Sandbox on both your Container App and Network Extension? If you do not, please add one as this is a requirement no matter if you are distributing via Mac App Store or via Developer ID.

There are a few other failures in your log, but let's see what you get after enabling SIP and adding a Sandbox to both targets.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Thanks for the pointers Matt. I am seeing 2 issues in the logs after I enabled SIP. I notarized the app already.
  1. Signature errors

  2. Crash because of Sandboxing

The second part of the logs are pasted in the next post.

Please NOTE: The NE is based on open-source Wireguard protocol written in Golang.

Logs


Code Block
349 0 secinitd: *.YYY.network-extension[3542]: root path for bundle "<private>" of main executable "<private>"
349 0 secinitd: (Security) SecTrustEvaluateIfNecessary
349 0 secinitd: (Security) SecTrustEvaluateIfNecessary
349 0 secinitd: *.YYY.network-extension[3542]: AppSandbox request successful
404 0 nesessionmanager: (Security) SecTrustEvaluateIfNecessary
404 0 nesessionmanager: (Security) SecTrustEvaluateIfNecessary
404 0 nesessionmanager: (NetworkExtension) [com.apple.networkextension:] Signature is valid and has the correct designated requirement
3542 0 *.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 43353 of [378230ae7f]
3542 0 *.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) SecItemCopyMatching
3542 0 *.YYY.network-extension: (Security) SecItemCopyMatching_ios
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:xpc] Adding securityd connection to pool, total now 1
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:SecCritical] Failed to talk to secd after 4 attempts.
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:xpc] got event: Connection invalid
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:storagemgr] using system preferences
3542 0 *.YYY.network-extension: (CoreFoundation) Loading Preferences From System CFPrefsD
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) SecItemCopyMatching
3542 0 *.YYY.network-extension: (Security) SecItemCopyMatching_ios
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:SecCritical] Failed to talk to secd after 4 attempts.
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) CMSDecoderCopySignerStatus failed with kCMSSignerInvalidSignature error (3)
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] MacOS error: -67061
3542 0 *.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: invalid signature (code or signature have been modified)
3542 0 *.YYY.network-extension: (libnetwork.dylib) [com.apple.network:] nw_path_evaluator_start [10272E98-45FB-4020-A6D6-CFB656C37389 <NULL> generic, indefinite]
0 0 kernel: utun_ctl_connect: creating interface utun2 (id utunid2)
0 0 kernel: ifnet_attach: Waiting for all kernel threads created for interface utun2 to get scheduled at least once.
0 0 kernel: ifnet_attach: All kernel threads created for interface utun2 have been scheduled at least once. Proceeding.
0 0 kernel: utun2: is now delegating en0 (type 0x6, family 2, sub-family 3)
114 0 configd: (libnetwork.dylib) [com.apple.network:] network_config_check_interface_settings Checking interface settings
404 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId8:5E99863B-1189-4C78-BE90-F27D4D1D1461:(null)]: Plugin NEVPNTunnelPlugin(*.YYY[3542]) initialized with Mach-O UUIDs (
210 0 nehelper: (Network) [com.apple.network:] -[NWPrivilegedHelper startXPCListener]_block_invoke client pid 114 does not have any known entitlement
114 0 configd: (libnetwork.dylib) [com.apple.network:] networkd_privileged_check_interface_settings_block_invoke received XPC_ERROR_CONNECTION_INVALID
404 0 nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId8:5E99863B-1189-4C78-BE90-F27D4D1D1461:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(*.YYY[3542]) started with PID 3542 error (null)
3542 0 *.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension *.YYY]: Calling startTunnelWithOptions with options 0x7fa48ee100d0
114 0 configd: [com.apple.SystemConfiguration:IPMonitor] network changed
3542 0 *.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension *.YYY]: IPC detached

**Logs 2nd part:



Code Block **
Error 0x0 164 0 sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: ***.XXXAgent(3542) deny(1) file-write-data /private/var/db/mds/system/mds.lock
Violation: deny(1) file-write-data /private/var/db/mds/system/mds.lock
Process: ***.XXXAgent [3542]
Path: /Library/SystemExtensions/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF/***.YYY.network-extension.systemextension/Contents/MacOS/***.YYY.network-extension
Identifier: ***.YYY.network-extension
Version: 1 (1.0)
Parent Process: launchd [1]
Responsible: /Library/SystemExtensions/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF/***.YYY.network-extension.systemextension/Contents/MacOS/***.YYY.network-extension
OS Version: Mac OS X 10.15.7 (19H15)
Report Version: 8
MetaData: {"action":"deny","responsible-process-user-uuid":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000","uid":0,"summary":"deny(1) file-write-data \/private\/var\/db\/mds\/system\/mds.lock","path":"\/private\/var\/db\/mds\/system\/mds.lock","normalized_target":["private","var","db","mds","system","mds.lock"],"pid":3542,"flags":5,"errno":1,"hardlinked":false,"platform-binary":false,"signing-id":"***.YYY.network-extension","team-id":"TEAM_ID","primary-filter-value":"\/private\/var\/db\/mds\/system\/mds.lock","process":"***.XXXAgent","build":"Mac OS X 10.15.7 (19H15)","target":"\/private\/var\/db\/mds\/system\/mds.lock","container":"\/private\/var\/root\/Library\/Containers\/***.YYY.network-extension\/Data","operation":"file-write-data","primary-filter":"path","matched-extension":false,"vnode-type":"REGULAR-FILE","platform_binary":"no","profile-in-collection":false,"process-path":"\/Library\/SystemExtensions\/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF\/***.YYY.network-extension.systemextension\/Contents\/MacOS\/***.YYY.network-extension","hardware":"Mac","responsible-process-uid":0,"responsible-process-path":"\/Library\/SystemExtensions\/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF\/***.YYY.network-extension.systemextension\/Contents\/MacOS\/***.YYY.network-extension","matched-user-intent-extension":false,"file-flags":0,"rdev":0,"platform-policy":false,"mount-rdev":16777221,"profile-flags":0,"apple-internal":false}
............................
Thread 3 (id: 47400):
0 libsystem_kernel.dylib 0x00007fff717b66a2 open + 10
1 Security 0x00007fff43eddeb7 Security::MDSSession::updateDataBases() + 1303
2 Security 0x00007fff43f3f705 Security::MDSSession::DbOpen(char const*, cssm_net_address const*, unsigned int, Security::AccessCredentials const*, void const*, long&) + 95
3 Security 0x00007fff43f3f59c mds_DbOpen(long, char const*, cssm_net_address const*, unsigned int, cssm_access_credentials const*, void const*, long*) + 261
4 Security 0x00007fff43edd5d5 Security::MDSClient::Directory::cdsa() const + 107
5 Security 0x00007fff44036031 Security::MDSClient::Directory::dlGetFirst(cssm_query const&, cssm_db_record_attribute_data&, cssm_data*, cssm_db_unique_record*&) + 57
6 Security 0x00007fff43edd113 Security::CssmClient::Table<Security::MDSClient::Common>::startQuery(Security::CssmQuery const&, bool) + 253
7 Security 0x00007fff43edcc9f Security::CssmClient::Table<Security::MDSClient::Common>::fetch(Security::CssmClient::Query const&, int) + 121
8 Security 0x00007fff43edbaf3 CSSM_ModuleLoad + 643
9 Security 0x00007fff43edb3ae Security::CssmClient::ModuleImpl::activate() + 194
10 Security 0x00007fff43edb1a8 Security::CssmClient::AttachmentImpl::activate() + 130
11 Security 0x00007fff43edb088 Security::KeychainCore::Certificate::clHandle() + 166
12 Security 0x00007fff440e7ef2 SecCertificateGetCLHandle_legacy + 22
13 Security 0x00007fff4404b116 CERT_GetCertIssuerAndSN + 131
14 Security 0x00007fff4404af1d CERT_FindCertByIssuerAndSN + 112
15 Security 0x00007fff4404c0e4 SecCmsSignerInfoGetSigningCertificate + 80
16 Security 0x00007fff440537cf SecCmsSignedDataVerifySignerInfo + 271
17 Security 0x00007fff44054226 CMSDecoderCopySignerStatus + 171
18 Security 0x00007fff44068210 Security::CodeSigning::SecStaticCode::validateDirectory() + 958
19 Security 0x00007fff4406b393 Security::CodeSigning::SecStaticCode::validateNonResourceComponents() + 15
20 Security 0x00007fff44058945 Security::CodeSigning::SecCode::checkValidity(unsigned int) + 219
21 Security 0x00007fff4405f0f4 SecCodeCheckValidityWithErrors + 87
22 NetworkExtension 0x00007fff3e2133c2 NEVerifyDesignatedRequirement + 206
23 NetworkExtension 0x00007fff3e0c75fa +[NEExtensionPacketTunnelProviderContext extensionHasACRequirement] + 94
24 NetworkExtension 0x00007fff3e1c1ff1 -[NEPacketTunnelProvider initWithVirtualInterfaceType:] + 37
25 ***.YYY.network-extension 0x0000000102c14638 PacketTunnelProvider.init() + 488 (PacketTunnelProvider.swift:9)
26 ***.YYY.network-extension 0x0000000102c1465f @objc PacketTunnelProvider.init() + 15 (<compiler-generated>:0)
27 NetworkExtension 0x00007fff3e0c8bd2 -[NEExtensionProviderContext createWithCompletionHandler:] + 398
28 Foundation 0x00007fff39d1e413 NSXPCCONNECTION_IS_CALLING_OUT_TO_EXPORTED_OBJECT_S1__ + 10
29 Foundation 0x00007fff39ca88de -[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:] + 2363
30 Foundation 0x00007fff39c5fa49 message_handler + 210
31 libxpc.dylib 0x00007fff718b922c _xpc_connection_call_event_handler + 56
32 libxpc.dylib 0x00007fff718b813b _xpc_connection_mach_event + 934
33 libdispatch.dylib 0x00007fff7161b6f8 _dispatch_client_callout4 + 9

Thanks for the pointers Matt. I am seeing 2 issues in the logs after I enabled SIP. I notarized the app already.
Signature errors
Crash because of Sandboxing

This may not seem like progress, but I think that it is because you are using the Sandbox and you are no longer masking a previously unhandled crash by disabling SIP.

Checkout the following:
Code Block
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:SecCritical] Failed to talk to secd after 4 attempts.
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542 0 *.YYY.network-extension: (Security) CMSDecoderCopySignerStatus failed with kCMSSignerInvalidSignature error (3)
3542 0 *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] MacOS error: -67061
3542 0 *.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: invalid signature (code or signature have been modified)
3542 0 *.YYY.network-extension: (libnetwork.dylib) [com.apple.network:] nw_path_evaluator_start [10272E98-45FB-4020-A6D6-CFB656C37389 <NULL> generic, indefinite]


You have an issue with your code signature. From here I would take a look at Quinn's post on Signing a Mac Product For Distribution. This is a great reference for working out signing issues with both Developer ID and the Mac App Store.

And also see, Resolving Common Notarization Issues.



Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
System Extension packet-tunnel NE not starting
 
 
Q