Developer ID singed NetworkExtension App.

Hi,


I use a NetworkExtension(packet-tunnel) and its container app to implement VPN on macOS. It's works well in my develop computer. But when I use Developer ID certification to ship this container app, the container app can be opened normally but the extension runs failed. There are some errors in system console logs.


neagent Rejecting app extension provider com.westone.secPortalmac.tunnel because it is signed with a Developer ID certificate

nesessionmanager NEVPNTunnelPlugin(com.westone.secPortalmac[67446]): Validation of the extension failed


I have followed eskimo's instruction in https://forums.developer.apple.com/thread/125508 to set system extension, but I have received the same errors.


Anyone can help me or give me some information?

Thanks.

Replies

Have you notarised your product? If you want to run an a Developer ID signed sysex on a machine with SIP enabled — that is, most customer machines — it has to be notarised.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Yes, I have uploaded my app to notarise server through Xcode. The state of Developer ID arhive information is ready to distribute. Actually, my container app can be opened on a machine with SIP enabled. The problem is when the contianer app tried to turn on a VPN connection with Network Extension, it failed. The error logs in system console is:


neagent Rejecting app extension provider com.westone.secPortalmac.tunnel because it is signed with a Developer ID certificate
nesessionmanager NEVPNTunnelPlugin(com.westone.secPortalmac[67446]): Validation of the extension failed

If you're packaged as a sysex and using the

-systemextension
variant of the entitlements and notarised and testing on 10.15.x, I’m not sure why this is failing in this way. If you can’t work it out then my advice is that you open a DTS tech support incident and I, or my colleague Matt, can dig into this some more.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
I made the following configuration based on the information in the forum?
  1. Container app id includes Network Extensions, Personal VPN, System Extension

  2. Extension Tunnel id id includes Network Extensions, Personal VPN

  3. The container app entitlements are as follows

Code Block
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
</array>
<key>com.apple.developer.networking.vpn.api</key>
<array>
<string>allow-vpn</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string></string>
</array>
<key>com.apple.security.device.usb</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)</string>
</array>
</dict>
</plist>


4. Extension Tunnel id entitlements are as follows

Code Block
<dict>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
</array>
<key>com.apple.developer.networking.vpn.api</key>
<array>
<string>allow-vpn</string>
</array>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string></string>
</array>
<key>com.apple.security.device.usb</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>$(AppIdentifierPrefix)</string>
</array>
</dict>


5、 I use Developer ID signd app and uploaded my app to notarise server through Xcode

6. The APP still does not work properly

console.app show:

Code Block
nw_path_evaluator_start [0D5BB27E-A47B-485A-9846-E410803D5E3D Hostname#d91ef292:0 generic, indefinite]
path: satisfied (Path is satisfied), interface: en0, ipv4, dns
nw_path_evaluator_start [21C51CA5-8228-4177-A53E-2DC68D3C0C54 IPv4#1694037f:0 generic, indefinite]
path: satisfied (Path is satisfied), interface: en0, ipv4, dns
Last disconnect error for WSTVpn changed from "none" to "因为发生了内部错误,VPN会话失败。"
Current bundle (/Applications/SecPortalMac.app) does not have a SystemExtensions directory
Saving configuration WSTVpn with existing signature {length = 20, bytes = 0x9c9fa6cc5340118337e2221ca19dbd46dc2202f9}


Are there any errors or omissions in the above steps?


Code Block
Current bundle (/Applications/SecPortalMac.app) does not have a SystemExtensions directory


That suggests that you have a packaging problem. Check that your sysex is embedded with your container app at the right path, namely, YourContainer.app/Contents/Library/SystemExtensions/com.example.your.bundle-id.systemextension.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
This path YourContainer.app/Contents/Library/SystemExtensions/com.example.your.bundle-id.systemextension does not exist 。

I made the following configuration based on the information in the forum?

But I want to ask if the integration steps above are correct? Is there something wrong?


Thank you for answering my question。

I know what I didn't have Library/SystemExtensions path before. Because I did not initiate OSSystemExtensionRequest.activationRequest。

But I called this method, and there is still no path in the log.

Code Block
Current bundle (/Users/30san/Desktop/mac/SecPortalMac.app) does not have a SystemExtensions directory


Hi,

On mac OS, I have changed the app network extension to system netwok extension.

I opened the systemextensionsctl developer on debugging app.

When the app starts, it will prompt to allow the installation of system extensions.

But I feel that PacketTunnelProvider is not started.

In addition, is it necessary to configure NEMachServiceName in the system network extension info.plist?

This is log information:

Code Block 14:41:56.950679+0800 SecPortalMac [com.westone.secPortalmac] Requesting authorization with options 6
14:41:56.954647+0800 SecPortalMac open on /Users/30san/Library/Group Containers/group.westone.secPortalmac/conf.xml: File exists
14:41:56.955423+0800 SecPortalMac open on /Users/30san/Library/Group Containers/group.westone.secPortalmac/engines.conf: File exists
14:41:56.971870+0800 SecPortalMac nw_path_evaluator_start [560AD6E0-20DB-40EF-89E8-A686213E126E 192.168.199.55:0 generic, indefinite]
path: satisfied (Path is satisfied), interface: en0, ipv4, dns
14:41:57.016957+0800 SecPortalMac [com.westone.secPortalmac] Requested authorization [ didGrant: 1 hasError: 0 hasCompletionHandler: 1 ]
14:41:57.021634+0800 SecPortalMac NSApp cache appearance:
-NSRequiresAquaSystemAppearance: 0
-appearance: (null)
-effectiveAppearance: <NSCompositeAppearance: 0x600002c0dc80
(
"<NSDarkAquaAppearance: 0x600002c0cb00>",
"<NSSystemAppearance: 0x600002c0d580>"
)>
14:41:57.372159+0800 SecPortalMac [com.westone.secPortalmac] Requesting authorization with options 6
14:41:57.372459+0800 SecPortalMac [com.westone.secPortalmac] Requested authorization [ didGrant: 1 hasError: 0 hasCompletionHandler: 1 ]
14:41:57.377226+0800 SecPortalMac Adding presenter 8F6CCFFE-7CE7-422A-996F-885319BB5C71 for URL: file:///Users/30san/Library/Developer/Xcode/DerivedData/OneNet-gfnflgusjdvyppaxijlkdrwgewtq/Build/Products/Debug/SecPortalMac.app/
14:42:06.802985+0800 SecPortalMac LSExceptions shared instance invalidated for timeout.
14:42:07.896997+0800 SecPortalMac Received configuration update from daemon (initial)
14:42:08.622606+0800 SecPortalMac AggregateDictionary is not supported on this platform
14:42:09.930705+0800 SecPortalMac Saving configuration WSTVpn with existing signature {length = 20, bytes = 0x8140392a039a53b376befd72d619a6bfa0c1d7dc}
14:42:09.930855+0800 SecPortalMac Configuration WSTVpn is unchanged
14:42:09.930944+0800 SecPortalMac The configuration was not saved because it was unchanged from the previously saved version