System Extension packet-tunnel NE not starting

Code Signing Entitlements
LaxmanT OP
Created Nov ’20
Replies 5
Boosts 0
Views 2.5k
Participants 2
Hi,
I am converting a working packet-tunnel Network Extension to distribute using Developer ID (system-extension). And I see that system-extension is getting registered but exiting. Please help. Thanks
NOTE:

  1. SIP is disabled

  2. Static Tunnel configuration.

  3. I have gone through lot of similar questions on the forums but not able to figure out what is happening.

  4. Removed NEMachService from the Info.plist since it was forcing me to add "application-group" and this was not part of the provisioning profile.


The following 2 messages in the logs seem suspicious
(NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s)

***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: IPC detached

NE Entitlements:


Code Block 
<dict>
	<key>com.apple.application-identifier</key>
	<string>TEAM_ID.***.YYY.network-extension</string>
	<key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>packet-tunnel-provider-systemextension</string>
		</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.developer.team-identifier</key>
	<string>TEAM_ID</string>
	<key>keychain-access-groups</key>
	<array>
		<string>TEAM_ID.*</string>
	</array>
</dict>


NE Provision profile:


Code Block 
	<key>Entitlements</key>
	<dict>
				
				<key>com.apple.developer.system-extension.install</key>
		<true/>
				
				<key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>packet-tunnel-provider-systemextension</string>
				<string>app-proxy-provider-systemextension</string>
				<string>content-filter-provider-systemextension</string>
				<string>dns-proxy-systemextension</string>
				<string>dns-settings</string>
		</array>
				
				<key>com.apple.application-identifier</key>
		<string>TEAM_ID.***.YYY.network-extension</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>TEAM_ID.*</string>
		</array>
				
				<key>com.apple.developer.team-identifier</key>
		<string>TEAM_ID</string>
	</dict>


Logs:

Please see next post. Thanks
Replies  5
Boosts  0
Views  2.5k
Participants  2
LaxmanT OP
Nov ’20

Logs:


Code Block 
16432  0    taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Checking profile: YYYNENov6_10
16432  0    taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] allowing entitlement(s) for ***.YYY.network-extension due to provisioning profile (isUPP: 1)
1057   0    nesessionmanager: (Security) SecTrustEvaluateIfNecessary
1057   0    nesessionmanager: (NetworkExtension) [com.apple.networkextension:] Signature is valid and has the correct designated requirement
16463  0    ***.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 43353 of [378230ae7f]
16463  0    ***.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory
16463  0    ***.YYY.network-extension: (Security) SecTrustEvaluateIfNecessary
16463  0    ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s)
16463  0    ***.YYY.network-extension: (libnetwork.dylib) [com.apple.network:] nw_path_evaluator_start [33B7A514-5833-43B2-A4AE-1329F4B52D43 <NULL> generic, indefinite]
0      0    kernel: utun_ctl_connect: creating interface utun2 (id utunid2)
0      0    kernel: ifnet_attach: Waiting for all kernel threads created for interface utun2 to get scheduled at least once.
0      0    kernel: ifnet_attach: All kernel threads created for interface utun2 have been scheduled at least once. Proceeding.
244    0    mDNSResponder: [com.apple.mDNSResponder:Default] <private>
113    0    configd: (libnetwork.dylib) [com.apple.network:] network_config_check_interface_settings Checking interface settings
0      0    kernel: utun2: is now delegating en0 (type 0x6, family 2, sub-family 3)
252    0    nehelper: (Network) [com.apple.network:] -[NWPrivilegedHelper startXPCListener]_block_invoke client pid 113 does not have any known entitlement
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Plugin NEVPNTunnelPlugin(***.YYY[16463]) initialized with Mach-O UUIDs (
113    0    configd: (libnetwork.dylib) [com.apple.network:] networkd_privileged_check_interface_settings_block_invoke received XPC_ERROR_CONNECTION_INVALID
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(***.YYY[16463]) started with PID 16463 error (null)
16463  0    ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: Calling startTunnelWithOptions with options 0x7f85e9d0d3e0
16463  0    ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: IPC detached
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(***.YYY[16463]) did detach from IPC
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(***.YYY[16463]) disconnected with reason Plugin initiated
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Leaving state NESMVPNSessionStateStarting
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
1057   0    nesessionmanager: [com.apple.networkextension:] <NESMServer: 0x7f979e504160>: Request to uninstall session: NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: status changed to disconnecting
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Leaving state NESMVPNSessionStateStopping
1057   0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Entering state NESMVPNSessionStateDisposing, timeout 5 seconds
0      0    kernel: ifnet_detach_final: Waiting for IO references on utun2 interface to be released
16463  0    ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] SIOCGIFMTU failed: Device not configured
16463  0    ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] NEVirtualInterfaceAdjustReadBufferSize: interface_get_mtu failed (6), defaulting to max mtu
16463  0    ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: Session manager connection was invalidated
16463  0    ***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: Deallocating

0
Systems Engineer OP
Apple
Nov ’20
So the good news is that your project is getting off the ground. The reason why I mention this is because usually major entitlement issues when signed with Developer ID can cause an actual crash in your program when started. That does not seem to be the case here, but rather you have configuration issues.

First, before you do anything, enable SIP. This will allow you to build in an environment that is equivalent to what your users see. This is will also bring to the surface any Security/Code Signing issues that you are suppressing by disabling SIP.

16463 0 *.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 43353 of [378230ae7f]
16463 0 *.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory
16463 0 *.YYY.network-extension: (Security) SecTrustEvaluateIfNecessary
16463 0 *.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s)

Do you have a Sandbox on both your Container App and Network Extension? If you do not, please add one as this is a requirement no matter if you are distributing via Mac App Store or via Developer ID.

There are a few other failures in your log, but let's see what you get after enabling SIP and adding a Sandbox to both targets.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
LaxmanT OP
Nov ’20
Thanks for the pointers Matt. I am seeing 2 issues in the logs after I enabled SIP. I notarized the app already.

  1. Signature errors

  2. Crash because of Sandboxing

The second part of the logs are pasted in the next post.

Please NOTE: The NE is based on open-source Wireguard protocol written in Golang.

Logs


Code Block 
 349    0    secinitd: *.YYY.network-extension[3542]: root path for bundle "<private>" of main executable "<private>"
 349    0    secinitd: (Security) SecTrustEvaluateIfNecessary
 349    0    secinitd: (Security) SecTrustEvaluateIfNecessary
 349    0    secinitd: *.YYY.network-extension[3542]: AppSandbox request successful
 404    0    nesessionmanager: (Security) SecTrustEvaluateIfNecessary
 404    0    nesessionmanager: (Security) SecTrustEvaluateIfNecessary
 404    0    nesessionmanager: (NetworkExtension) [com.apple.networkextension:] Signature is valid and has the correct designated requirement
 3542   0    *.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 43353 of [378230ae7f]
 3542   0    *.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) SecItemCopyMatching
 3542   0    *.YYY.network-extension: (Security) SecItemCopyMatching_ios
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:xpc] Adding securityd connection to pool, total now 1
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:SecCritical] Failed to talk to secd after 4 attempts.
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:xpc] got event: Connection invalid
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:storagemgr] using system preferences
 3542   0    *.YYY.network-extension: (CoreFoundation) Loading Preferences From System CFPrefsD
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) SecItemCopyMatching
 3542   0    *.YYY.network-extension: (Security) SecItemCopyMatching_ios
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:SecCritical] Failed to talk to secd after 4 attempts.
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) CMSDecoderCopySignerStatus failed with kCMSSignerInvalidSignature error (3)
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] MacOS error: -67061
 3542   0    *.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: invalid signature (code or signature have been modified)
 3542   0    *.YYY.network-extension: (libnetwork.dylib) [com.apple.network:] nw_path_evaluator_start [10272E98-45FB-4020-A6D6-CFB656C37389 <NULL> generic, indefinite]
 0      0    kernel: utun_ctl_connect: creating interface utun2 (id utunid2)
 0      0    kernel: ifnet_attach: Waiting for all kernel threads created for interface utun2 to get scheduled at least once.
 0      0    kernel: ifnet_attach: All kernel threads created for interface utun2 have been scheduled at least once. Proceeding.
 0      0    kernel: utun2: is now delegating en0 (type 0x6, family 2, sub-family 3)
 114    0    configd: (libnetwork.dylib) [com.apple.network:] network_config_check_interface_settings Checking interface settings
 404    0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId8:5E99863B-1189-4C78-BE90-F27D4D1D1461:(null)]: Plugin NEVPNTunnelPlugin(*.YYY[3542]) initialized with Mach-O UUIDs (
 210    0    nehelper: (Network) [com.apple.network:] -[NWPrivilegedHelper startXPCListener]_block_invoke client pid 114 does not have any known entitlement
 114    0    configd: (libnetwork.dylib) [com.apple.network:] networkd_privileged_check_interface_settings_block_invoke received XPC_ERROR_CONNECTION_INVALID
 404    0    nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId8:5E99863B-1189-4C78-BE90-F27D4D1D1461:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(*.YYY[3542]) started with PID 3542 error (null)
 3542   0    *.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension *.YYY]: Calling startTunnelWithOptions with options 0x7fa48ee100d0
 114    0    configd: [com.apple.SystemConfiguration:IPMonitor] network changed
 3542   0    *.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension *.YYY]: IPC detached

0
LaxmanT OP
Nov ’20

**Logs 2nd part:



Code Block **
     Error       0x0                  164    0    sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: ***.XXXAgent(3542) deny(1) file-write-data /private/var/db/mds/system/mds.lock
Violation:       deny(1) file-write-data /private/var/db/mds/system/mds.lock 
Process:         ***.XXXAgent [3542]
Path:            /Library/SystemExtensions/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF/***.YYY.network-extension.systemextension/Contents/MacOS/***.YYY.network-extension
Identifier:      ***.YYY.network-extension
Version:         1 (1.0)
Parent Process:  launchd [1]
Responsible:     /Library/SystemExtensions/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF/***.YYY.network-extension.systemextension/Contents/MacOS/***.YYY.network-extension
OS Version:      Mac OS X 10.15.7 (19H15)
Report Version:  8
MetaData: {"action":"deny","responsible-process-user-uuid":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000","uid":0,"summary":"deny(1) file-write-data \/private\/var\/db\/mds\/system\/mds.lock","path":"\/private\/var\/db\/mds\/system\/mds.lock","normalized_target":["private","var","db","mds","system","mds.lock"],"pid":3542,"flags":5,"errno":1,"hardlinked":false,"platform-binary":false,"signing-id":"***.YYY.network-extension","team-id":"TEAM_ID","primary-filter-value":"\/private\/var\/db\/mds\/system\/mds.lock","process":"***.XXXAgent","build":"Mac OS X 10.15.7 (19H15)","target":"\/private\/var\/db\/mds\/system\/mds.lock","container":"\/private\/var\/root\/Library\/Containers\/***.YYY.network-extension\/Data","operation":"file-write-data","primary-filter":"path","matched-extension":false,"vnode-type":"REGULAR-FILE","platform_binary":"no","profile-in-collection":false,"process-path":"\/Library\/SystemExtensions\/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF\/***.YYY.network-extension.systemextension\/Contents\/MacOS\/***.YYY.network-extension","hardware":"Mac","responsible-process-uid":0,"responsible-process-path":"\/Library\/SystemExtensions\/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF\/***.YYY.network-extension.systemextension\/Contents\/MacOS\/***.YYY.network-extension","matched-user-intent-extension":false,"file-flags":0,"rdev":0,"platform-policy":false,"mount-rdev":16777221,"profile-flags":0,"apple-internal":false}
............................
Thread 3 (id: 47400):
0   libsystem_kernel.dylib        	0x00007fff717b66a2 open + 10
1   Security                      	0x00007fff43eddeb7 Security::MDSSession::updateDataBases() + 1303
2   Security                      	0x00007fff43f3f705 Security::MDSSession::DbOpen(char const*, cssm_net_address const*, unsigned int, Security::AccessCredentials const*, void const*, long&) + 95
3   Security                      	0x00007fff43f3f59c mds_DbOpen(long, char const*, cssm_net_address const*, unsigned int, cssm_access_credentials const*, void const*, long*) + 261
4   Security                      	0x00007fff43edd5d5 Security::MDSClient::Directory::cdsa() const + 107
5   Security                      	0x00007fff44036031 Security::MDSClient::Directory::dlGetFirst(cssm_query const&, cssm_db_record_attribute_data&, cssm_data*, cssm_db_unique_record*&) + 57
6   Security                      	0x00007fff43edd113 Security::CssmClient::Table<Security::MDSClient::Common>::startQuery(Security::CssmQuery const&, bool) + 253
7   Security                      	0x00007fff43edcc9f Security::CssmClient::Table<Security::MDSClient::Common>::fetch(Security::CssmClient::Query const&, int) + 121
8   Security                      	0x00007fff43edbaf3 CSSM_ModuleLoad + 643
9   Security                      	0x00007fff43edb3ae Security::CssmClient::ModuleImpl::activate() + 194
10  Security                      	0x00007fff43edb1a8 Security::CssmClient::AttachmentImpl::activate() + 130
11  Security                      	0x00007fff43edb088 Security::KeychainCore::Certificate::clHandle() + 166
12  Security                      	0x00007fff440e7ef2 SecCertificateGetCLHandle_legacy + 22
13  Security                      	0x00007fff4404b116 CERT_GetCertIssuerAndSN + 131
14  Security                      	0x00007fff4404af1d CERT_FindCertByIssuerAndSN + 112
15  Security                      	0x00007fff4404c0e4 SecCmsSignerInfoGetSigningCertificate + 80
16  Security                      	0x00007fff440537cf SecCmsSignedDataVerifySignerInfo + 271
17  Security                      	0x00007fff44054226 CMSDecoderCopySignerStatus + 171
18  Security                      	0x00007fff44068210 Security::CodeSigning::SecStaticCode::validateDirectory() + 958
19  Security                      	0x00007fff4406b393 Security::CodeSigning::SecStaticCode::validateNonResourceComponents() + 15
20  Security                      	0x00007fff44058945 Security::CodeSigning::SecCode::checkValidity(unsigned int) + 219
21  Security                      	0x00007fff4405f0f4 SecCodeCheckValidityWithErrors + 87
22  NetworkExtension              	0x00007fff3e2133c2 NEVerifyDesignatedRequirement + 206
23  NetworkExtension              	0x00007fff3e0c75fa +[NEExtensionPacketTunnelProviderContext extensionHasACRequirement] + 94
24  NetworkExtension              	0x00007fff3e1c1ff1 -[NEPacketTunnelProvider initWithVirtualInterfaceType:] + 37
25  ***.YYY.network-extension	0x0000000102c14638 PacketTunnelProvider.init() + 488 (PacketTunnelProvider.swift:9)
26  ***.YYY.network-extension	0x0000000102c1465f @objc PacketTunnelProvider.init() + 15 (<compiler-generated>:0)
27  NetworkExtension              	0x00007fff3e0c8bd2 -[NEExtensionProviderContext createWithCompletionHandler:] + 398
28  Foundation                    	0x00007fff39d1e413 NSXPCCONNECTION_IS_CALLING_OUT_TO_EXPORTED_OBJECT_S1__ + 10
29  Foundation                    	0x00007fff39ca88de -[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:] + 2363
30  Foundation                    	0x00007fff39c5fa49 message_handler + 210
31  libxpc.dylib                  	0x00007fff718b922c _xpc_connection_call_event_handler + 56
32  libxpc.dylib                  	0x00007fff718b813b _xpc_connection_mach_event + 934
33  libdispatch.dylib             	0x00007fff7161b6f8 _dispatch_client_callout4 + 9

0
Systems Engineer OP
Apple
Nov ’20

Thanks for the pointers Matt. I am seeing 2 issues in the logs after I enabled SIP. I notarized the app already.
Signature errors
Crash because of Sandboxing

This may not seem like progress, but I think that it is because you are using the Sandbox and you are no longer masking a previously unhandled crash by disabling SIP.

Checkout the following:
Code Block 
3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:SecCritical] Failed to talk to secd after 4 attempts.
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
 3542   0    *.YYY.network-extension: (Security) CMSDecoderCopySignerStatus failed with kCMSSignerInvalidSignature error (3)
 3542   0    *.YYY.network-extension: (Security) [com.apple.securityd:security_exception] MacOS error: -67061
 3542   0    *.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: invalid signature (code or signature have been modified)
 3542   0    *.YYY.network-extension: (libnetwork.dylib) [com.apple.network:] nw_path_evaluator_start [10272E98-45FB-4020-A6D6-CFB656C37389 <NULL> generic, indefinite]


You have an issue with your code signature. From here I would take a look at Quinn's post on Signing a Mac Product For Distribution. This is a great reference for working out signing issues with both Developer ID and the Mac App Store.

And also see, Resolving Common Notarization Issues.



Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
System Extension packet-tunnel NE not starting
First post date Last post date
 
 
Q