packet-tunnel-systemextension OSSystemExtensionErrorDomain 8

Just so we’re on the same page, error 8 is OSSystemExtensionErrorCodeSignatureInvalid. My experience is that, when the System Extensions framework returns that error, it logs more details to the system log. I recommend you look there. See Your Friend the System Log for advice on how to use the system log effectively.

I recommend that you set up a VM to test this. That way you can be sure that your development state isn’t interfering with the test. See Testing a Notarised Product.

I have general advice on how to sign and package macOS software in:

• Creating distribution-signed code for macOS

• Packaging Mac software for distribution

I have advice specific to NE sysexes in the Exporting a Developer ID Network Extension DevForums post.

IMPORTANT Pay attention to the provisioning profile part of that. The steps in your post didn’t mention profiles at all, which isn’t a good sign.

Apropos those steps, be aware that steps 1 and 2 are redundant. When signing bundled code, you only need to sign the bundle.

Also has to tried with --deep, but no luck.

Don’t do that. See --deep Considered Harmful.

While testing this, I recommend that you skip the installer. There’s nothing fundamentally wrong with using an installer to install your app, but it’s an extra step that could go wrong. So, simplify the problem to:

1. Notarise a zip archive.

2. Once you have the ticket, unpack the zip, staple the app, and then repack the zip.

3. Copy that zip to your test VM in a way that sets quarantine.

4. Unpack it there.

5. Drag the app to the Applications folder.

6. Launch the app and run your test.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Big thanks @DTS Engineer.

after 2 days of additional research, i've mark next points.

• need to sign bundle, and execution file to, one without entitlements, second with. First of all we signing Sysex , than main app.

Commands looks like next:

codesign -f --timestamp --options runtime --sign "${certificate_name}" ${app_bundle.app}

codesign -f --timestamp --options runtime --entitlements "${app_entitlements}" --sign "${certificate_name}" "${app_bundle.app}/Contents/MacOS/${app_name}"

Also i have to removed keychain access group compatibility, cause when i've trying to run. It can't be run cause saying that signing is wrong.

But after removing it solved. In console, i've see the error.

Entitlement com.apple.security.application-groups=(
    "group.com.ex.company.appname"
) is ignored because of invalid application signature or incorrect provisioning profile

its super strange message, and possibly can affect something, but not sure. (Maybe there is must be prefixed with TeamId?) Could you please add comments for it?

and second the last difficult things, its** impossible to start VPN tunnel ** without profiles: (For App and Tunnel) Its allow to activate sysex, allow to add vpn configuration , but when all its began to says:

nesessionmanager NESMVPNSession[Primary Tunnel:VPN Satoshi:1D0EF122-2CEA-4632-8CD2-D09B7C8CA5F0:(null)]: Received a start command from Application-Mac-External[2985]

Found 0 (0 active) registrations for com.ex.company.applicationname.packet-tunnel (com.apple.networkextension.packet-tunnel)

Its happening on any laptop without installed profiles, and looks like currently its last blocker, which i can't understand how to solve, could you please help?

need to sign bundle, and execution file to

That’s not right. If the executable is the main executable of a bundled product, you only need to sign the bundle. That’ll seal over the entire bundle, including its main executable. Creating distribution-signed code for macOS talks about this in some depth.

Also i have to removed keychain access group compatibility

Keychain access groups are related to the data protection keychain. Your sysex is effectively a daemon, and thus can’t use the data protection keychain. TN3137 On Mac keychain APIs and implementations explains all of this in more detail.

But after removing it solved. In console, i've see the error.

Oh man!, you’re hitting all the weirdness.

App groups behaviour is very differently on macOS and iOS. I talk about this in detail in App Groups: macOS vs iOS: Fight!.

App groups aren’t as useful in a sysex as they are in an appex because your sysex runs as root, and thus can’t share a group container its containing app.

However, they are still required in some cases, most notably to handle IPC. If you need an app group for that, it has to start with the macOS-style prefix (your Team ID) and, because your sysex is sandboxed, you must sign it with the app group entitlement.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Last answer help me to found two errors, first one was in incompatibilities between values in profile and Entitlements. There were one wrong value, and second one which you mention its a group, which must start from team id, it mostly unclear things, cause on creating profile step, developer apple portal don't allow you to create a group without starting from group prefix.

Thanks for your help, it was a bit difficult, cause some things is not clear and as the result, i've just trying.

One more thanks. :)