NE Proxy didn't started with "missing designated requirement" message.

I encountered a problem while implementing DNS Proxy for Network Extension.

It consists of MyMyExt, a System Extension that implements DNS Proxy, and MyMyService, a container.

The system extension consists of classes that inherit the NEDNSProxyProvider.

Class has overrided "override init(), override func startProxy(...), override func stopProxy(...) override func handleNewFlow(...)"

Since the manager.loadFromPreferences(...) and manager.saveToPreferences(...) calls, system extensions and DNS Proxy have been added.

However, contrary to expectations, init(), startProxy(...), etc. are not being called.

(In System Settings → Network → Filter, DNS Proxy has been added, but is displayed as "Activated" and a yellow circle)

Here is the information that appears on the console.

... Omitted ...

MyMyService.MyMyExt	[Info] DNSProxyManager.swift: 51 [-] DNSProxy: saved
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Adding a connection for client mDNSResponder[167]
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: handleNetworkDetectionNotification <MyMyService.MyMyExt>
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Received a restart command from nesessionmanager[1011]
nesessionmanager	Registering session NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Resetting VPN On Demand
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: update configuration
nesessionmanager	<NESMServer: 0x13ae0ac90>: <MyMyService.MyMyExt> Register DNS Proxy Session: NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Successfully registered
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: status changed to connecting
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)] in state NESMVPNSessionStateIdle: received start message
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStateIdle
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStatePreparingNetwork
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Failed to create an NEAgent
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Leaving state NESMVPNSessionStatePreparingNetwork
nesessionmanager	NESMDNSProxySession[Primary Tunnel:MyMyService.MyMyExt:<GUID>:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds

... Omitted ...

Perhaps the key is the "Cannot create agent for plugin type MyMyService.MyMyExt, missing designated requirement" recorded in the log.

But I can't find out what this message is about or how to resolve it.

and, here is my code, more info at my previous post.

I ask for your help. Thank you, for your attention.

You can learn about code signing requirements, including the designated requirement, in TN3127 Inside Code Signing: Requirements. In short, the DR is the way that code identifies itself, allowing macOS to confirm that version N+1 of your code is the ‘same code’ as version N.

It’s not clear whether that log message is talking about the DR being missing from your code or from the configuration it’s trying to set up. However, it’s easy to check the former. Build your sysex and run this command against the containing app and the embedded sysex:

% codesign -d --requirement - MyApp.app
…
designated => … something long and complex …
% codesign -d --requirement - MyApp.app/Contents/Library/SystemExtensions/com.example.apple-samplecode.MyApp.MyExtension.systemextension 
…
designated => … something long and complex …

What do you see?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Here is my result.

codesign -d --requirement - MyMyService.app 

Executable=/Users/bepoop/Library/Developer/Xcode/DerivedData/MyMyService-extsmvczyriphqaigdiumsnsihyz/Build/Products/Debug/MyMyService.app/Contents/MacOS/MyMyService

designated => identifier "------------.MyMyService" and anchor apple generic and certificate leaf[subject.CN] = 0x4170706c6520446576656c6f706d656e743a20ed95b4eca09520ec9db420284a42354256364e41524129 and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */


codesign -d --requirement - MyMyService.app/Contents/Library/SystemExtensions/------------.MyMyService.MyMyExt.systemextension 

Executable=/Users/bepoop/Library/Developer/Xcode/DerivedData/MyMyService-extsmvczyriphqaigdiumsnsihyz/Build/Products/Debug/MyMyService.app/Contents/Library/SystemExtensions/------------.MyMyService.MyMyExt.systemextension/Contents/MacOS/------------.MyMyService.MyMyExt

designated => identifier "------------.MyMyService.MyMyExt" and anchor apple generic and certificate leaf[subject.CN] = 0x4170706c6520446576656c6f706d656e743a20ed95b4eca09520ec9db420284a42354256364e41524129 and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */

ps. designated => identifier "------------.MyMyService.MyMyExt" and ... is same with my bundle identifier

Thanks!

That DR is interesting. I’ve never seen a construct like this before:

leaf[subject.CN] = 0x4170706c6520446576656c6f706d656e743a20ed95b4eca09520ec9db420284a42354256364e41524129

You’re getting it because your Apple Development certificate includes Korean characters, which have then been UTF-8 encoded.

I have two theories as to what might be going on. The first one is quite prosaic: Have you checked that the providerBundleIdentifier property in your NEDNSProxyProviderProtocol in your configuration matches the bundle ID of your sysex?

The second revolves around Korean characters, which are notorious tricky due to Hangul normalisation. There are two potential issues here:

  • You masked the name of your app and your system extension. That’s fine, but do either of those contain Korean characters? If so, I recommend that you replace them with ASCII and try again.

  • It’s also possible that the Korean characters in the DR are causing problems. Do you have access to a different developer account, one without Korean characters, that you could retest with?

To be clear, Korean characters should work in both of these places, and if this reveals a problem then it’s Apple’s problem to fix.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for your advice.

  • app name and system extension name has no Korean.

(and I changed app, sysext name to <TEAMID>.com.<COMPANY>.MyMyService / <TEAMID>.com.<COMPANY>.MyMyService.MyMyExt)

  • I changed certificate to my own.

here is result.

bepoop@bepoop-MacBook-Air Debug % codesign -d --requirement - MyMyService.app 
Executable=/Users/bepoop/Library/Developer/Xcode/DerivedData/MyMyService-extsmvczyriphqaigdiumsnsihyz/Build/Products/Debug/MyMyService.app/Contents/MacOS/MyMyService
designated => identifier "<TEAMID>.com.<COMPANY>.MyMyService" and anchor apple generic and certificate leaf[subject.CN] = "Apple Development: HEESEUNG LEE (C7D7KYLN68)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */

bepoop@bepoop-MacBook-Air Debug % codesign -d --requirement - MyMyService.app/Contents/Library/SystemExtensions/<TEAMID>.com.<COMPANY>.MyMyService.MyMyExt.systemextension
Executable=/Users/bepoop/Library/Developer/Xcode/DerivedData/MyMyService-extsmvczyriphqaigdiumsnsihyz/Build/Products/Debug/MyMyService.app/Contents/Library/SystemExtensions/<TEAMID>.com.<COMPANY>.MyMyService.MyMyExt.systemextension/Contents/MacOS/<TEAMID>.com.<COMPANY>.MyMyService.MyMyExt
designated => identifier "<TEAMID>.com.<COMPANY>.MyMyService.MyMyExt" and anchor apple generic and certificate leaf[subject.CN] = "Apple Development: HEESEUNG LEE (C7D7KYLN68)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */

when I deactivate and re activate DNS Proxy at System Settings, same message appearing on console.

NESMDNSProxySession[Primary Tunnel:<TEAMID>.com.<COMPANY>.MyMyService.MyMyExt:<GUID>:(null)]: Cannot create agent for plugin type <TEAMID>.com.<COMPANY>.MyMyService.MyMyExt, missing designated requirement
NESMDNSProxySession[Primary Tunnel:<TEAMID>.com.<COMPANY>.MyMyService.MyMyExt:<GUID>:(null)]: Failed to create an NEAgent

could you please give me more hints? Thanks!

Thanks for running those tests. It’s good to rule that out as a potential issue.

could you please give me more hints?

I’m running out of ideas here. I have a bunch of generic advice in Debugging a Network Extension Provider, but I’m not sure any of it will help. Still, if you haven’t read it already, please take a look now.

Beyond that, my only suggestion is that you open a DTS tech support incident so that I can dedicate more time to your issue.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

OK! I've opened TSI. let's go the other new journey, together!

NE Proxy didn't started with "missing designated requirement" message.
 
 
Q