-_- issue solved after 3 days of headbanging.
We added a --deep flag to OTHER_CODE_SIGN_FLAGS to our main target and that screwed everything. The uni tests passed and nobody noticed until last week.
Case closed.
-_- issue solved after 3 days of headbanging.
We added a --deep flag to OTHER_CODE_SIGN_FLAGS to our main target and that screwed everything. The uni tests passed and nobody noticed until last week.
Case closed.
Post not yet marked as solved
We see the same and if you run sudo systemextensionsctl list the result is a bit worrying:
2021-07-21 17:38:11.454 systemextensionsctl[1563:23928] unexpectedly trying to fetch info on a non-staged bundle?
@matt @eskimo
Thank you for the confirmation, more I dig into this issue and more complaints I found, there are endless threads of IT folks asking Sophos and Cisco info on how to remove their sysex and Sophos is even suggesting to disable SIP in order to run a systemextensionsctl uninstall O_o.
Any clue on when/if the SIP restriction will be lifted on systemextensionsctl?
Hi Eskimo,Thank you for your answer.I actually have SIP disabled and not having the entitlement granted by Apple I removed it fomr the .entitlements file and added to my endpoint security info.plist.My CFBundlePackageType was $(PRODUCT_BUNDLE_PACKAGE_TYPE) and I changed it, just in case, to SYSX. Unfortunatelly the error is still there.Here the logs I can see in the console filtering for "zuul" that is my prototype name:default 17:08:05.468297+0000 secinitd Zuul[16986]: root path for bundle "<private>" of main executable "<private>"
default 17:08:05.615951+0000 secinitd Zuul[16986]: AppSandbox request successful
default 17:08:05.648643+0000 Zuul FRONTLOGGING: version 1
default 17:08:05.648670+0000 Zuul Registering, pid=16986
default 17:08:05.650254+0000 Zuul CHECKIN: pid=16986
default 17:08:05.661792+0000 Zuul CHECKEDIN: pid=16986 asn=0x0-0x1b11b1 foreground=0
default 17:08:05.660769+0000 launchservicesd CHECKIN:0x0-0x1b11b1 16986 com.xxxxxxxx.zuul
default 17:08:05.662844+0000 loginwindow -[ApplicationManager checkInAppContext:eventData:] | ApplicationManager: Checked in app : Zuul
default 17:08:05.664459+0000 runningboardd Resolved pid 16986 to [executable<Zuul(501)>:16986]
default 17:08:05.666172+0000 runningboardd [executable<Zuul(501)>:16986] This process will not be managed.
default 17:08:05.666213+0000 runningboardd Now tracking process: [executable<Zuul(501)>:16986]
default 17:08:05.666753+0000 runningboardd Acquiring assertion targeting executable<Zuul(501)> from originator [daemon<com.apple.coreservices.launchservicesd>:213] with description <RBSAssertionDescriptor; uielement:16986; ID: 349-213-1893; target: 16986> attributes = {
<RBSDomainAttribute: 0x7fac5743a380; domain: com.apple.launchservicesd; name: RoleUserInteractive; sourceEnvironment: 0x0>;
}
default 17:08:05.666902+0000 runningboardd Assertion 349-213-1893 (target:executable<Zuul(501)>) will be created as active
default 17:08:05.667510+0000 runningboardd [executable<Zuul(501)>:16986] Ignoring jetsam update because this process is not memory-managed
default 17:08:05.667515+0000 runningboardd Acquiring assertion targeting executable<Zuul(501)> from originator [daemon<com.apple.coreservices.launchservicesd>:213] with description <RBSAssertionDescriptor; uielement:16986; ID: 349-213-1894; target: 16986> attributes = {
<RBSDomainAttribute: 0x7fac57718db0; domain: com.apple.launchservicesd; name: RoleUserInteractive; sourceEnvironment: 0x0>;
}
default 17:08:05.667653+0000 runningboardd [executable<Zuul(501)>:16986] Ignoring resume because this process is not lifecycle managed
default 17:08:05.667879+0000 runningboardd [executable<Zuul(501)>:16986] Set darwin role to: UserInteractive
default 17:08:05.667845+0000 runningboardd Assertion 349-213-1894 (target:executable<Zuul(501)>) will be created as active
default 17:08:05.668214+0000 runningboardd [executable<Zuul(501)>:16986] Ignoring GPU update because this process is not GPU managed
default 17:08:05.668366+0000 runningboardd Finished acquiring assertion 349-213-1893 (target:executable<Zuul(501)>)
default 17:08:05.669126+0000 runningboardd Finished acquiring assertion 349-213-1894 (target:executable<Zuul(501)>)
default 17:08:05.669132+0000 runningboardd Invalidating assertion 349-213-1893 (target:executable<Zuul(501)>) from originator 213
default 17:08:05.673136+0000 *** Non-fatal error enumerating at <private>, continuing: Error Domain=NSCocoaErrorDomain Code=260 "The file “PlugIns” couldn’t be opened because there is no such file." UserInfo={NSURL=PlugIns/ -- file:///Users/kappe/Library/Developer/Xcode/DerivedData/Zuul-fktseybbsnrtfwclzgucnkeddlvj/Build/Products/Debug/Zuul.app/Contents/, NSFilePath=/Users/kappe/Library/Developer/Xcode/DerivedData/Zuul-fktseybbsnrtfwclzgucnkeddlvj/Build/Products/Debug/Zuul.app/Contents/PlugIns, NSUnderlyingError=0x7f89a962bf50 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}
default 17:08:05.673223+0000 *** - 45683955: Checking whether application is managed at file:///Users/kappe/Library/Developer/Xcode/DerivedData/Zuul-fktseybbsnrtfwclzgucnkeddlvj/Build/Products/Debug/Zuul.app//com.xxxxxxxx.zuul
default 17:08:05.676450+0000 Zuul Registered, pid=16986 ASN=0x0,0x1b11b1
default 17:08:05.676589+0000 Zuul Registered, pid=16986 cgConnectionID=182b3
default 17:08:05.678198+0000 Zuul BringForward: pid=16986 asn=0x0-0x1b11b1 bringForward=0 foreground=0 uiElement=1 launchedByLS=0 modifiersCount=0 allDisabled=0
default 17:08:05.679060+0000 Zuul Current system appearance, (HLTB: 2), (SLS: 1)
default 17:08:05.682432+0000 Zuul Post-registration system appearance: (HLTB: 2)
default 17:08:05.695189+0000 distnoted register name: com.apple.xctest.FakeForceTouchDevice object: com.xxxxxxxx.zuul token: f4268 pid: 16986
default 17:08:05.706321+0000 Zuul NSApp cache appearance:
-NSRequiresAquaSystemAppearance: 0
-appearance: (null)
-effectiveAppearance: <NSCompositeAppearance: 0x600002c03b00
(
"<NSDarkAquaAppearance: 0x600002c01700>",
"<NSSystemAppearance: 0x600002c03c00>"
)>
default 17:08:05.706978+0000 distnoted register name: com.apple.nsquiet_safe_quit_give_reason object: com.xxxxxxxx.zuul token: f426e pid: 16986
default 17:08:05.738362+0000 Zuul Registering for test daemon availability notify post.
default 17:08:05.738528+0000 Zuul notify_get_state check indicated test daemon not ready.
default 17:08:05.745275+0000 Zuul SignalReady: pid=16986 asn=0x0-0x1b11b1
default 17:08:05.746018+0000 Zuul SIGNAL: pid=16986 asn=0x0x-0x1774001
error 17:08:05.754288+0000 appleeventsd <rdar://problem/11489077> A sandboxed application with pid 16986, '"Zuul"', checked in with appleeventsd, but its code signature could not be read and validated by appleeventsd, and so it cannot receive AppleEvents targeted by name, bundle id, or signature. Install the application in /Applications/ or some other world readable location to resolve this issue. Error=ERROR: #100013 { "NSDescription"="SecCodeCopySigningInformation() returned 100013, -." }
default 17:08:05.779423+0000 tccd -[TCCDAccessIdentity staticCode]: static code for: identifier com.xxxxxxxx.zuul, type: 0: 0x7fc893e14470 at /Users/kappe/Library/Developer/Xcode/DerivedData/Zuul-fktseybbsnrtfwclzgucnkeddlvj/Build/Products/Debug/Zuul.app
default 17:08:05.788781+0000 Zuul Start
default 17:08:05.844101+0000 sysextd attempting to realize extension with identifier com.xxxxxxxx.zuul.endpoint
default 17:08:05.861742+0000 Zuul System extension request failed: Invalid extension configuration in Info.plist and/or entitlements
default 17:08:15.693908+0000 Zuul LSExceptions shared instance invalidated for timeout.The interesting ones are the last 3 messages:sysextd attempting to realize extension with identifier com.xxxxxxxx.zuul.endpoint
Zuul System extension request failed: Invalid extension configuration in Info.plist and/or entitlementsthis is the EndpointSecurity info.plist:<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleDevelopmentRegion</key>
<string>$(DEVELOPMENT_LANGUAGE)</string>
<key>CFBundleDisplayName</key>
<string>ZuulEndpoint</string>
<key>CFBundleExecutable</key>
<string>$(EXECUTABLE_NAME)</string>
<key>CFBundleIdentifier</key>
<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
<key>CFBundleInfoDictionaryVersion</key>
<string>6.0</string>
<key>CFBundleName</key>
<string>$(PRODUCT_NAME)</string>
<key>CFBundlePackageType</key>
<string>SYSX</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>CFBundleVersion</key>
<string>1</string>
<key>LSMinimumSystemVersion</key>
<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
<key>NSHumanReadableCopyright</key>
<string>Copyright © 2019 xxxxxx. All rights reserved.</string>
<key>NSSystemExtensionUsageDescription</key>
<string>Test test test TODO</string>
<key>com.apple.developer.endpoint-security.client</key>
<true/>
</dict>
</plist>Do you have any idea on how to solve this? I'm filing an improvement request for the documentation and for an xcode template.Thank you
Post not yet marked as solved
The post is about iOS, not macOS
Post not yet marked as solved
I'm implementing a NEDNSProxyProvider and I have the same issue, I would like to be able to manipulate the DNS cache at some level, this is a possible scenario:1. user turns on the app which uses NEDNSProxyProvider, which specifies a custom DNS server based on some rules.2. user visit example.com. this DNS entry is cached3. the rules are changed.4. user visits example.com again but the request is cached, the DNS requests never hits the NEDNSProxyProvider so the new rules are not applied until the DNS record TTL is expired.I'm going to open an improvement request.
Post not yet marked as solved
Nope, and I don't believe will ever be.Been able to enter in the middle of an internet connection is possibly a huge privacy violation that makes sense only on supervised devices.
That's really a good point, I've tried only signing the app with a dev profile for now. Thanks for the hint!
Post not yet marked as solved
Same issue here, enhancement request open: 47814258 😐
I'm auto-answering to my question, just for documentation:The solution is to add the DNS configurations to the "Provider configuration" field in the "DNS Proxy" field in the MDM profile.This configuration is available to the network extension trough the "options" parameter in:startProxy(options: [String: Any]? = nil, completionHandler: @escaping (Error?) -> Void)And in the container app usingNEDNSProxyProviderProtocol().providerConfiguration
Post not yet marked as solved
Same issue here.My initial idea was to copy the UserDefaults.standard "com.apple.dnsProxy.managed" value to the App groups shared UserDefaults but I can't assume the main app is ever executed, so how can I have access to the "com.apple.dnsProxy.managed" dictionary in UserDefaults from the network extension?Has someone solved the problem?
1) I was simply trying to take advantage of your knowledge and get more info as possible. I'll raise an enhancement request, as suggested. Thank you.2) This makes sense, even if in our case we have the possibility to switch off the DNSProxy manually.Thank you very much for the prompt answer.
