Network Extension Unsatisfied entitlements: com.apple.security.application-groups

Hi,


I want to be able to run a simple NE with SIP on. Based on SimpleFirewall Sysex, run from Xcode It seems to work well, the extension does filter the content, all OK. What is not so good is what I see in the in the logs (SIP enabled):


the taskgated-helper says :

com.jon.SimpleFirewall.SimpleFirewallExtension: Unsatisfied entitlements: com.apple.security.application-groups

Disallowing: com.jon.SimpleFirewall.SimpleFirewallExtension


and the amfid:

Soft-restriction provisioning profile validation failure: No matching provisioning profile

Unsatisfied entitlements key is not type CFString, this should not happen.

Provisioning Profile does not provision soft-restricted entitlements.


They are strange messages consiering the NE is working ..


I'd say that the entitlemetns are ok :

<dict>

<key>com.apple.application-identifier</key>

<string>TEAMID.com.jon.SimpleFirewall</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>content-filter-provider</string>

</array>

<key>com.apple.developer.system-extension.install</key>

<true/>

<key>com.apple.developer.team-identifier</key>

<string>TEAMID.</string>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.application-groups</key>

<array>

<string>TEAMID..com.jon.SimpleFirewall</string>

</array>

<key>com.apple.security.files.user-selected.read-write</key>

<true/>

<key>com.apple.security.get-task-allow</key>

<true/>

</dict>


<dict>

<key>com.apple.application-identifier</key>

<string>TEAMID.com.jon.SimpleFirewall.SimpleFirewallExtension</string>

<key>com.apple.developer.networking.networkextension</key>

<array>

<string>content-filter-provider</string>

</array>

<key>com.apple.developer.team-identifier</key>

<string>TEAMID</string>

<key>com.apple.security.app-sandbox</key>

<true/>

<key>com.apple.security.application-groups</key>

<array>

<string>TEAMIDcom.jon.SimpleFirewall</string>

</array>

<key>com.apple.security.get-task-allow</key>

<true/>


</dict>



I'm interested as well in making provisioned for all devices so I want to archive it for Developer ID distribution. Including notarization. The archiving stops because Xcode cant find provisions for Network Extensions. To solve it I have created 2 provisions for Distribution by developer ID myself on my account. That helps to andvance in the notarization. It gets approved. Export and run.


The exported notarized App crashes:


taskgated:

rejecting read of { kCFPreferencesAnyApplication, kCFPreferencesAnyUser, kCFPreferencesCurrentHost, no container, managed: 0 } from process 1947 (taskgated-helper) because accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access

com.jon.SimpleFirewall: Unsatisfied entitlements: com.apple.developer.networking.networkextension

Disallowing: com.jon.SimpleFirewall


amfid:

CPValidateProvisioningDictionariesExtViaBridge returned invalid result: {

success = 0;

}

Failure validating against provisioning profiles: No matching provisioning profile

Unsatisfied entitlements key is not type CFString, this should not happen.

Requirements for restricted entitlements failed to validate, error -67671, requirements: '<private>', error: (null)

Restricted entitlements not validated, bailing out. Error: (null)

/Users/jon.gabilondo/Desktop/SimpleFirewall.app/Contents/MacOS/SimpleFirewall signature not valid: -67671


Pretty big clear errors that I can't fgure out how to fix them .. I'm missing something fundamental.


Thanks in advance.

Replies

You need to do couple of things apart from Developer ID signing:

1. Change entitlement content-filter-provider to content-filter-provider-systemextension manually:


Look at the below document:

https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_networking_networkextension?language=objc


.2 Notarize your app.


Regards,

Anand Choubey

Anand thanks a lot !


The extension is running now after doing: 1. Change entitlement content-filter-provider to content-filter-provider-systemextension manually


However the gatekeeper and the amfi are less than happy with it. I don't know how does it work after they both explicitely say the extension is incorrect. Maybe Apple can give some input on this.


Thanks.



195error23:25:16.399045+0300cfprefsdrejecting read of { kCFPreferencesAnyApplication, kCFPreferencesAnyUser, kCFPreferencesCurrentHost, no container, managed: 0 } from process 6233 (taskgated-helper) because accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access
6233fault23:25:16.399271+0300taskgated-helperCouldn't read values in CFPrefsPlistSource<0x7f926a008250> (Domain: kCFPreferencesAnyApplication, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: No): accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access
6233default23:25:16.405208+0300taskgated-helperChecking against 1 eligible provisioning profiles
6233default23:25:16.405311+0300taskgated-helperChecking profile: SimpleFireApp
6233default23:25:16.405338+0300taskgated-helperallowing entitlement(s) for com.jon.SimpleFirewall due to provisioning profile (isUPP: 1)
6233default23:25:16.409375+0300taskgated-helperChecking against 1 eligible provisioning profiles
6233default23:25:16.409461+0300taskgated-helperChecking profile: SimpleFireApp
6233error23:25:16.409482+0300taskgated-helpercom.jon.SimpleFirewall: Unsatisfied entitlements: com.apple.security.application-groups
6233error23:25:16.409497+0300taskgated-helperDisallowing: com.jon.SimpleFirewall
6233default23:26:08.907228+0300taskgated-helperChecking against 1 eligible provisioning profiles
6233default23:26:08.907412+0300taskgated-helperChecking profile: SimpleFireExt
6233default23:26:08.907597+0300taskgated-helperallowing entitlement(s) for com.jon.SimpleFirewall.SimpleFirewallExtension due to provisioning profile (isUPP: 1)
6233default23:26:08.913929+0300taskgated-helperChecking against 1 eligible provisioning profiles
6233default23:26:08.914019+0300taskgated-helperChecking profile: SimpleFireExt
6233error23:26:08.914041+0300taskgated-helpercom.jon.SimpleFirewall.SimpleFirewallExtension: Unsatisfied entitlements: com.apple.security.application-groups
6233error23:26:08.914062+0300taskgated-helperDisallowing: com.jon.SimpleFirewall.SimpleFirewallExtension

Hi,


doing 1. Change entitlement content-filter-provider to content-filter-provider-systemextension manually:


the NE now runs. That is great.


But still the gatekeeper and the amfi say the NE is not OK.

What should we make of those messages ...



195error20:38:20.940263+0300cfprefsdrejecting read of { kCFPreferencesAnyApplication, kCFPreferencesAnyUser, kCFPreferencesCurrentHost, no container, managed: 0 } from process 10864 (taskgated-helper) because accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access
10864fault20:38:20.940504+0300taskgated-helperCouldn't read values in CFPrefsPlistSource<0x7fdf6552ca90> (Domain: kCFPreferencesAnyApplication, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: No): accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access
10864default20:38:20.948316+0300taskgated-helperChecking against 1 eligible provisioning profiles
10864default20:38:20.948424+0300taskgated-helperChecking profile: SimpleFireExt
10864default20:38:20.948455+0300taskgated-helperallowing entitlement(s) for com.jon.SimpleFirewall.SimpleFirewallExtension due to provisioning profile (isUPP: 1)
10864default20:38:20.954018+0300taskgated-helperChecking against 1 eligible provisioning profiles
10864default20:38:20.954112+0300taskgated-helperChecking profile: SimpleFireExt
10864error20:38:20.954148+0300taskgated-helpercom.jon.SimpleFirewall.SimpleFirewallExtension: Unsatisfied entitlements: com.apple.security.application-groups
10864error20:38:20.954164+0300taskgated-helperDisallowing: com.jon.SimpleFirewall.SimpleFirewallExtension


Thanks !

In the post at least, your AppGroups identifier has a typo in the second one where it is missing a dot between the team ID and the bundle ID. The first one actually has two dots between them.


That would keep them from matching and from being able to access the shared space, which is what the logs are complaining about.

I'm afraid i did some copy paste mistakes. The app-group s correct, but I will run it all again and double check averything. Thanks!

Hi,

My NE Sysex is notrarized and runs correctly, the group IDs are correct.

But the amfi and taskgate print errors. The "Disallowing:" log message doesn't really seem to affect the run of the extension.

Are these log warnings misleading ?


I have the Group ID capability in the Identifier on the Dev Site disabled. I though that might be a problem. I added the Group ID to the Identifier. Which by the way requires "group." prefix. It did not help. The warning logs continue.


Thanks.

I understood the reason for the complains of the taskgated.


helpercom.jon.SimpleFirewall.SimpleFirewallExtension: Unsatisfied entitlements: com.apple.security.application-groups


On Mac the groups entitlements are not whitelisted by the privision profile. The gatekeeper logs that fact, but doesnt seem to affect the runnning of the Sysex.