Hello,
We have a network extension that until now was loaded using an app that has the same Team ID and everything loaded and worked fine.
We now want to make it possible for an application with a different Team ID to load it. As stated here we manually added the com.apple.developer.system-extension.redistributable entitlement in the .entitlements file of the network extension (it does not appear in Xcode's Capabilities list). The extension was built, signed and notarised with succes. When we tried to run it with the exactly same test application that we use all the time (that has the same Team ID) after allowing it from Security & Privacy and allowing the Add Proxy Configuration pop-up, it remains in the Connecting... state.
In system.log every ~10 seconds this error messages appear: Code has restricted entitlements, but the validation of its code signature failed. and Binary is improperly signed.
The only difference between what we already have and works and this version is that we added the redistributable entitlement.
Full log:
The output of codesign -d --entitlements :- com.my-network-extension.systemextension is:
The output of security cms -D -i com.my-network-extension.systemextension/Contents/embedded.provisionprofile is:
Nothing related with the redistributable entitlement appears here.
On the App ID Configuration (on the apple developer site) there is no System Extension Redistributable Capability. Also, the Redistributable Entitlement Documentation does not mention that we need to request this entitlement from Apple as is stated for other entitlements (for example for Endpoint Security).
We also tried to make a test application with a different Team ID to exclude the unlikely case that with this entitlement is mandatory for the application to have a different Team ID. As expected, it had the exact same behaviour - it does not work.
A strange / unexpected behaviour is that we tried to add the entitlement but with FALSE instead of true and it behaves in the exact same way (same error). This made me think that maybe I made a mistake when I added it (a typo or wrong format), but the xml looks fine.
We tested this on Big Sur 11.3.1. We tried with the extension Developer ID signature and also with Development signature (it happens in both cases and without the redistributable entitlement it works).
Is the System Extension Redistributable Capability suppose to be on the App ID Configuration page or do we have to make a request for it? (this seems unlikely since the documentation does not mention it).
Is there something extra we were supposed to do and we missed it? Or is there something we did wrong?
Thank you!
We have a network extension that until now was loaded using an app that has the same Team ID and everything loaded and worked fine.
We now want to make it possible for an application with a different Team ID to load it. As stated here we manually added the com.apple.developer.system-extension.redistributable entitlement in the .entitlements file of the network extension (it does not appear in Xcode's Capabilities list). The extension was built, signed and notarised with succes. When we tried to run it with the exactly same test application that we use all the time (that has the same Team ID) after allowing it from Security & Privacy and allowing the Add Proxy Configuration pop-up, it remains in the Connecting... state.
In system.log every ~10 seconds this error messages appear: Code has restricted entitlements, but the validation of its code signature failed. and Binary is improperly signed.
The only difference between what we already have and works and this version is that we added the redistributable entitlement.
Full log:
Code Block (NetworkExtension.com.my-network-extension): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Library/SystemExtensions/{GUID}/com.my-network-extension.systemextension/Contents/MacOS/com.my-network-extension: Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements: (NetworkExtension.com.my-network-extension): Binary is improperly signed.
The output of codesign -d --entitlements :- com.my-network-extension.systemextension is:
Code Block Executable=/Users/myuser/path/com.my-network-extension.systemextension/Contents/MacOS/com.my-network-extension <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>MyTeamID.com.my-network-extension</string> <key>com.apple.developer.networking.custom-protocol</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider-systemextension</string> </array> <key>com.apple.developer.system-extension.redistributable</key> <true/> <key>com.apple.developer.team-identifier</key> <string>MyTeamID</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>MyTeamID.com.application.group1</string> <string>MyTeamID.com.application.group2</string> </array> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> <key>com.apple.security.temporary-exception.files.absolute-path.read-only</key> <array> <string>/path1/</string> <string>/path2/</string> </array> <key>com.apple.security.temporary-exception.files.absolute-path.read-write</key> <array> <string>/path/path3/</string> </array> </dict> </plist>
The output of security cms -D -i com.my-network-extension.systemextension/Contents/embedded.provisionprofile is:
Code Block <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>AppIDName</key> <string>My Network Extension</string> <key>ApplicationIdentifierPrefix</key> <array> <string>MyTeamID</string> </array> <key>CreationDate</key> <date>2020-08-12T09:40:28Z</date> <key>Platform</key> <array> <string>OSX</string> </array> <key>IsXcodeManaged</key> <false/> <key>DeveloperCertificates</key> <array> <data>***</data> </array> <key>Entitlements</key> <dict> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> <string>app-proxy-provider-systemextension</string> <string>content-filter-provider-systemextension</string> <string>dns-proxy-systemextension</string> <string>dns-settings</string> </array> <key>com.apple.application-identifier</key> <string>MyTeamID.com.my-network-extension</string> <key>keychain-access-groups</key> <array> <string>MyTeamID.*</string> </array> <key>com.apple.developer.team-identifier</key> <string>MyTeamID</string> <key>com.apple.developer.networking.vpn.api</key> <array> <string>allow-vpn</string> </array> <key>com.apple.developer.networking.custom-protocol</key> <true/> </dict> <key>ExpirationDate</key> <date>2038-08-08T09:40:28Z</date> <key>Name</key> <string>My Network Extension Developer ID Profile</string> <key>ProvisionsAllDevices</key> <true/> <key>TeamIdentifier</key> <array> <string>MyTeamID</string> </array> <key>TeamName</key> <string>My Company Name</string> <key>TimeToLive</key> <integer>6570</integer> <key>UUID</key> <string>***</string> <key>Version</key> <integer>1</integer> </dict> </plist>
Nothing related with the redistributable entitlement appears here.
On the App ID Configuration (on the apple developer site) there is no System Extension Redistributable Capability. Also, the Redistributable Entitlement Documentation does not mention that we need to request this entitlement from Apple as is stated for other entitlements (for example for Endpoint Security).
We also tried to make a test application with a different Team ID to exclude the unlikely case that with this entitlement is mandatory for the application to have a different Team ID. As expected, it had the exact same behaviour - it does not work.
A strange / unexpected behaviour is that we tried to add the entitlement but with FALSE instead of true and it behaves in the exact same way (same error). This made me think that maybe I made a mistake when I added it (a typo or wrong format), but the xml looks fine.
Code Block <key>com.apple.developer.system-extension.redistributable</key> <false/>
We tested this on Big Sur 11.3.1. We tried with the extension Developer ID signature and also with Development signature (it happens in both cases and without the redistributable entitlement it works).
Is the System Extension Redistributable Capability suppose to be on the App ID Configuration page or do we have to make a request for it? (this seems unlikely since the documentation does not mention it).
Is there something extra we were supposed to do and we missed it? Or is there something we did wrong?
Thank you!
