Network Extension Signed by Developer ID Not Activating

App & System Services Networking
neil218 OP
Created Jun ’24
Replies 5
Boosts 0
Views 595
Participants 2

Hello,

I am working on a macOS VPN app using Network Extension's packet tunnel capability.

When the container app (referred to as "App" below) and the network extension plugin (referred to as "NE" below) are signed with my development certificate, everything works perfectly.

However, when they are signed with a Developer ID certificate, the network extension refuses to activate.

Here are the details:

  1. The App has sandbox set to off, but the NE has sandbox set to on.
  2. I managed to archive and notarize both Developer ID signed App and NE.
  3. The Debug version and Release version don't use the same App ID or App Group ID to make sure there is no interference.
  4. I am aware that the NE entitlement value changes if signed by Developer ID. I followed the instructions and used packet-tunnel-provider-systemextension instead of packet-tunnel-provider.
  5. I tested adding System Extension capability into the App, but it made no difference.
  6. The activate tunnel function returns NEVPNError.Code.configurationInvalid, but I don't think the configuration is invalid. The same configuration works with a development profile.
  7. In the system console, I observed the following log messages:
Looking for an extension with identifier {NE_BUNDLE_ID} and extension point com.apple.networkextension.packet-tunnel

Found 1 extension(s) with identifier {NE_BUNDLE_ID} and extension point com.apple.networkextension.packet-tunnel

Beginning extension request with extension {NE_BUNDLE_ID}

Assertion 395-24105-185921 (target:[xpcservice<{NE_BUNDLE_ID}([osservice<com.apple.neagent(512863558)>:24105:24105])(512863558)>:42188]) will be created as active

[0x12be187f0] activating connection: mach=false listener=false peer=false name={NE_BUNDLE_ID}.apple-extension-service

Entitlement com.apple.application-identifier={APP_GROUP_ID} is ignored because of invalid application signature or incorrect provisioning profile

Entitlement com.apple.security.application-groups=(
    {APP_GROUP_ID} 
) is ignored because of invalid application signature or incorrect provisioning profile

{APP NAME}[42130]/1#5 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier nor com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={numberOfErrorsDeep=0, NSDescription=Client has neither com.apple.application-identifier nor com.apple.security.application-groups nor keychain-access-groups entitlements}

Any guidance or suggestions would be greatly appreciated.

Thank you!

Replies  5
Boosts  0
Views  595
Participants  2
neil218 OP
Jun ’24

Another strange behavior I noticed is that if I generate, notarize, and launch my Developer ID signed build once (the tunnel activation will fail, of course, as described above), then my DEV build will start to fail too. I had to apply a brand new App ID to continue my development.

0
DTS Engineer OP
Apple
Jun ’24

It sounds like you’re trying to do the export using Xcode. That won’t work. You have to do this stuff manually )-: I go into this in detail in Exporting a Developer ID Network Extension.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
neil218 OP
Jun ’24

Thank you very much. You're right. I did notarize and export my App and Network Extension using Xcode 15.2.

Today, I managed to swap entitlements, code sign, and notarize everything manually following your instructions. However, I am still experiencing the same issue. What could possibly be going wrong?

Any guidance would be greatly appreciated.

In the meantime, I am starting to try to distribute the app using the Mac App Store.

0
DTS Engineer OP
Apple
Jun ’24

However, I am still experiencing the same issue.

By that you’re referring to the .configurationInvalid error, right?

If so, please try reproducing this on a ‘clean’ machine. That is:

  1. Build, export, sign, and notarise your product in the normal way.

  2. Transfer that to a machine that’s never seen your program before. I usually do this with a VM, so I can restore from a clean snapshot between each test.

  3. Install and run things as a user would.

Do you still see the problem there?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
neil218 OP
Jun ’24

Yes, the activate tunnel API returns .configurationInvalid error.

In the meantime, I can see multiple codesign related errors in the Console app.

Entitlement com.apple.application-identifier=MyTeam.AppID.network-extension is ignored because of invalid application signature or incorrect provisioning profile

Signature check failed: code failed to satisfy specified code requirement(s)

I did two tests, both signed and notarized manually. In the first test, I used the App ID with which I had previously failed to launch the app. In the second test, I used a brand new App ID and rebooted my MacBook before launching the app.

I will try to test in a clean environment as soon as possible and get back to you.

Thank you for your assistance.

0
Network Extension Signed by Developer ID Not Activating
First post date Last post date
 
 
Q