Post not yet marked as solved
Hi.
I want to automate test installation and uninstallation of network extension software.
However, it looks like whenever I install the gatekeeper and another pop-up always blocker for automation.
My app is fully notarized and stapled, but it seems like it is almost impossible to bypass those two pop up.
I want something similar funcitonality of windows Test Mode.
Post not yet marked as solved
Hi.
My systemextensions hang when I do the system extensions list
and I believe it has something to do with a hang when I tried to open system preference security and privacy.
BigSur 11.6.5
I disabled sip hoping that might help, os the state of sip is not relevant here.
How do I recover from it?
I already tried recovery mode and pram reset etc. And even I reinstall bigsur which doesn't help.
Process: sysextd [8020]
Path: /System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd
Identifier: sysextd
Version: ???
Code Type: X86-64 (Native)
Parent Process: launchd [1]
User ID: 0
Date/Time: 2022-04-24 08:19:55.3971 -0700
OS Version: macOS 11.6.5 (20G527)
Report Version: 12
Bridge OS Version: 6.4 (19P4242)
Anonymous UUID: C4E6D890-8EC9-1CEF-396D-A7FF30DCCC6D
Time Awake Since Boot: 6000 seconds
System Integrity Protection: disabled
Crashed Thread: 1 Dispatch queue: sysextd.extension_manager
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace LIBSYSTEM, Code 2 Application Triggered Fault
Application Specific Information:
Thread 0:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x7fff2054a9de __ulock_wait + 10
1 libdispatch.dylib 0x7fff203d4fd7 _dlock_wait + 44
2 libdispatch.dylib 0x7fff203d526b _dispatch_group_wait_slow + 49
3 libdispatch.dylib 0x7fff203d7b2f dispatch_block_wait + 212
4 sysextd 0x108845f02 0x10883e000 + 32514
5 sysextd 0x108848e30 0x10883e000 + 44592
6 sysextd 0x1088485a9 0x10883e000 + 42409
7 libdyld.dylib 0x7fff20599f3d start + 1
Thread 1 Crashed:: Dispatch queue: sysextd.extension_manager
0 libsystem_kernel.dylib 0x7fff2056b55e __abort_with_payload + 10
1 libsystem_kernel.dylib 0x7fff2056cfc5 abort_with_payload_wrapper_internal + 80
2 libsystem_kernel.dylib 0x7fff2056cff7 abort_with_payload + 9
3 libsystem_c.dylib 0x7fff204d265f _os_crash_fmt.cold.1 + 55
4 libsystem_c.dylib 0x7fff20465165 _os_crash_fmt + 154
5 sysextd 0x108843520 0x10883e000 + 21792
6 sysextd 0x1088a7b34 0x10883e000 + 432948
7 sysextd 0x108865c6d 0x10883e000 + 162925
8 sysextd 0x108868538 0x10883e000 + 173368
9 sysextd 0x108845f49 0x10883e000 + 32585
10 libdispatch.dylib 0x7fff203e119e _dispatch_block_async_invoke2 + 83
11 libdispatch.dylib 0x7fff203d4806 _dispatch_client_callout + 8
12 libdispatch.dylib 0x7fff203da5ea _dispatch_lane_serial_drain + 606
13 libdispatch.dylib 0x7fff203db0ad _dispatch_lane_invoke + 366
14 libdispatch.dylib 0x7fff203e4c0d _dispatch_workloop_worker_thread + 811
15 libsystem_pthread.dylib 0x7fff2057b45d _pthread_wqthread + 314
16 libsystem_pthread.dylib 0x7fff2057a42f start_wqthread + 15
Thread 1 crashed with X86 Thread State (64-bit):
rax: 0x0000000002000209 rbx: 0x0000000000000000 rcx: 0x0000700000f21818 rdx: 0x0000700000f218d0
rdi: 0x0000000000000012 rsi: 0x0000000000000002 rbp: 0x0000700000f21860 rsp: 0x0000700000f21818
r8: 0x00007fc0b5704590 r9: 0x0000000000000000 r10: 0x000000000000005a r11: 0x0000000000000246
r12: 0x000000000000005a r13: 0x0000700000f218d0 r14: 0x0000000000000002 r15: 0x0000000000000012
rip: 0x00007fff2056b55e rfl: 0x0000000000000246 cr2: 0x000000010a9a4000
Logical CPU: 0
Error Code: 0x02000209
Trap Number: 133
Binary Images:
0x7fff20548000 - 0x7fff20577fff libsystem_kernel.dylib (*) <f0ea5d27-bbc5-3934-ab09-4a5301731981> /usr/lib/system/libsystem_kernel.dylib
0x7fff203d1000 - 0x7fff20415fff libdispatch.dylib (*) <ba7ad614-f2c2-3e89-9043-43dd548ae5b1> /usr/lib/system/libdispatch.dylib
0x10883e000 - 0x1088d1fff sysextd (*) <5c524909-d7cc-3531-8d1b-41017d247ac6> /System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd
0x7fff20584000 - 0x7fff205bffff libdyld.dylib (*) <5fbd0e1a-acce-36db-b11c-622f26c85132> /usr/lib/system/libdyld.dylib
0x7fff20453000 - 0x7fff204dbfff libsystem_c.dylib (*) <8447a4b8-0751-3ef1-aa9b-042e40efa07d> /usr/lib/system/libsystem_c.dylib
0x7fff20578000 - 0x7fff20583fff libsystem_pthread.dylib (*) <49670aec-4d5d-3383-906c-23f568351fcb> /usr/lib/system/libsystem_pthread.dylib
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
VM Region Summary:
ReadOnly portion of Libraries: Total=637.0M resident=0K(0%) swapped_out_or_unallocated=637.0M(100%)
Writable regions: Total=279.1M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=279.1M(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Activity Tracing 256K 1
Dispatch continuations 96.0M 1
Kernel Alloc Once 8K 1
MALLOC 54.1M 18
MALLOC guard page 24K 5
MALLOC_MEDIUM (reserved) 120.0M 1 reserved VM address space (unallocated)
STACK GUARD 56.0M 2
Stack 8712K 2
VM_ALLOCATE 12K 3
__DATA 7022K 218
__DATA_CONST 8248K 140
__DATA_DIRTY 455K 87
__FONT_DATA 4K 1
__LINKEDIT 500.3M 5
__OBJC_RO 70.3M 1
__OBJC_RW 2496K 2
__TEXT 136.7M 218
__UNICODE 588K 1
mapped file 31.7M 2
shared memory 572K 5
=========== ======= =======
TOTAL 1.1G 714
TOTAL, minus reserved VM space 972.8M 714
Post not yet marked as solved
Hi. I have a question from SimpleFirewall for inbound flow control.
let inboundNetworkRule = NENetworkRule(remoteNetwork: nil,
remotePrefix: 0,
localNetwork: localNetwork,
localPrefix: 0,
protocol: .TCP,
direction: .inbound)
In this example, I noticed that if I add a specific remoteNetwork instead of nil, the flow doesn't hit the handleNewFlow function at all.
In case of remoteNetwork: "0.0.0.0" and remotePrefix :0, all the inbound flow hit the handleNewFlow but in case of
remoteNetwork: "192.168.41.161" and remotePrefix: 32
won't work
Am I missing something or is it a limitation of the content filter provider?
Besides, is there any way we can catch flow by port ranges?
Post not yet marked as solved
Hi.
I have a fresh Catalina with version 10.15.7
When I run
/Application/Safari.app/Contents/MacOS/Safari
From my user account terminal, no issue.
However, if I do
sudo /Application/Safari.app/Contents/MacOS/Safari
zsh: illegal hardware instruction /Application/Safari.app/Contents/MacOS/Safari error
What is wrong?
I don't see this issue with my BigSur though.
Post not yet marked as solved
I read somewhere that any apps installed under
/Library/LaunchDaemons will be run systemwide
and any apps under /Library/LaunchAgents will be run per-user based.
I noticed that the network extension app (which contains one hosting app and one network extension) is installed under LaunchAgents, not under LaunchDaemon.
Does that mean any network extension required a user to be logged in?
Or will it be continued to work even after a user logged out?
Post not yet marked as solved
Hi.
I have an archive package that contains multiple packages.
One of the pkg has a network extension app.
I normally notarized the top archive package and staple it.
However, when I tried to install pkg, I keep encountering gatekeeper.
I notarize and stape each of the pkg inside of the archives then
create achieve package again and notarize/staple it.
But again, I still see the same issues. Keeps seeing the gatekeeper.
Am I missing something?
Post not yet marked as solved
Hi.
I have a problem with launching a notarized app on Catalina.
Here is the dump of each command.
security cms -D -i ./foo.app/Contents/embedded.provisionprofile
<key>Entitlements</key>
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
<string>dns-settings</string>
</array>
<key>com.apple.application-identifier</key>
<string>69Q4FM6AL9.com.foo.foo-ven.filter</string>
<key>keychain-access-groups</key>
<array>
<string>69Q4FM6AL9.*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>69Q4FM6AL9</string>
</dict>
<key>ExpirationDate</key>
<date>2023-03-17T17:17:19Z</date>
<key>Name</key>
<string>Mac Team Provisioning Profile: com.foo.foo-ven.filter</string>
<key>ProvisionedDevices</key>
<array>
<string>2B599D97-8FEF-5882-A14B-F1DF26B8D5D7</string>
<string>564D6794-6B4B-1320-D0BB-3E45014AF41C</string>
<string>564D82E8-7BE0-078D-5B15-BCA5E143D1C9</string>
<string>09782725-2944-5F56-BC1B-EE723365C425</string>
<string>564DCBDB-1406-AE9A-4ADE-F33897B06F77</string>
<string>87E06DD6-94FC-5268-91E6-35488508A0F7</string>
<string>271B625C-75A3-5435-8C15-2163E942A995</string>
</array>
<key>TeamIdentifier</key>
<array>
<string>69Q4FM6AL9</string>
</array>
<key>TeamName</key>
<string>foo, Inc.</string>
<key>TimeToLive</key>
<integer>365</integer>
<key>UUID</key>
<string>bd08aec0-c92e-420e-8414-a2191d228fdc</string>
<key>Version</key>
<integer>1</integer>
</dict>
codesign -d --entitlements :- ./foo.app
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>69Q4FM6AL9.com.foo.foo-ven.filter</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>content-filter-provider</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>69Q4FM6AL9</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>69Q4FM6AL9.group.com.foo.foo_ven.filter_data</string>
</array>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
</dict>
Can you help me out to figure out why my app is failing to run due to
removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Applications/fooVenFilter.app/Contents/MacOS/fooVenFilter:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
Post not yet marked as solved
I have a flattened pkg file to notarize.
It is signed at the build time by the Developer ID installer.
Here is the output of a series of commands.
check notarization status
submit notarization and status
check tatus of notarization after notarization complete.
mtnview@C02YC2G0JGH5 ~/D/s/d/h/c/pkgs>spctl -a -vvv -t install ./foo.mac11.x86_64.pkg
./foo.mac11.x86_64.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: foo, Inc. (69Q4FM6AL9)
mtnview@C02YC2G0JGH5 ~/D/s/d/h/c/pkgs> xcrun notarytool submit ./foo.mac11.x86_64.pkg --keychain-profile "AC_PASSWORD" --wait
Conducting pre-submission checks for foo.mac11.x86_64.pkg and initiating connection to the Apple notary service...
Submission ID received
id: cc2d06be-fb07-4794-a92a-996ac07985fd
Successfully uploaded file
id: cc2d06be-fb07-4794-a92a-996ac07985fd
path: /Users/mtnview/Documents/shared_vm/dev/hawkeye/cmake-macos/pkgs/foo.mac11.x86_64.pkg
Waiting for processing to complete.
Current status: Accepted..........
Processing complete
id: cc2d06be-fb07-4794-a92a-996ac07985fd
status: Accepted
mtnview@C02YC2G0JGH5 ~/D/s/d/h/c/pkgs> spctl -a -vvv -t install ./foo.mac11.x86_64.pkg
./foo.mac11.x86_64.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: foo, Inc. (69Q4FM6AL9)
Apple says it is accepted, but the status still says unnotarized Devloerp ID and rejected?
Here is the log
"logFormatVersion": 1,
"jobId": "cc2d06be-fb07-4794-a92a-996ac07985fd",
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "foo.mac11.x86_64.pkg",
"uploadDate": "2022-03-17T13:35:11.753Z",
"sha256": "d5fa4e165df10b548f111a193fbbddceadcdc6a68307884dd5ae5f57a6bbe73a",
Post not yet marked as solved
Through Xcode, I was able to add content-filter-provider but I cannot find a way to add entitlement of content-filter-provider-systemextension.
Based on the documentation I need the content-filter-provider-systemextension entitlement with developer ID.
Post not yet marked as solved
Hi.
I am trying to understand how NEFilterDataProvider works.
I see handleNewFlow handles newly created flow matches to the NEFilterRule that I set.
However, it doesn't look like it handles the preexisting connections.
The existing traffic doesn't go to any of the handlers so that there is no way to give a verdict.
How do I make preexisting connection not interrupted?
mtnview.