seeing this error when I am trying to install my network extension: _macvnodechecksignature: /Applications/abc.app/Contents/MacOS/abc: code signature validation failed fatally: When validating /Applications/abc.app/Contents/MacOS/abc:   Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements:__ I have set the right entitlements as far as I know . is this error about entitlements or signature that is not obvious from the message . this is sseen on Catalina 10.15.6 the macOS Network extension is Developer ID signed . still facing this error . any idea what will fix this error ??

Hi All, I am trying to do a small POC using network extension's content filter capability. It is just a simple application for listening to all inbound connections on a particular port. I am able to build the application using Xcode. Through the main application i am able to install the network extension as system extension and I am able to view the installed extension in systemextensionctl list. The problem is the I am not able to do anything after that , I don't think the extension is actually running. I am not able to see any logs in system.log. Few logs were present from devices log which indicate that the extension is running. The last log was Request to activate com.sample.xyz.NetworkExtension succeeded (0). Adding event subscription 930 for provider com.sample.xyz.NetworkExtension with extension point com.apple.networkextension.filter-data I gave some debug logs and none of them were printed. I have all entitlements in my provisional profile and if there was any code signing issue I guess it would have been present in system.log (atleast I assume) Thanks in advance.

I am working on OpenVPN application for Mac OS. I use openVPNAdapter to do this. Version for Mac OS store with apex works well. But we need a Developer ID signing version. To do this I created NE system extension (appex was removed from the project), changed packet-tunnel-provider with packet-tunnel-provider-systemextension, reuse the same PacketTunnelProvider code and the same openVPNAdapter (framework was embedded into the extension). Run system extension via OSSystemExtensionRequest (copied logic from SempleFirewall apple example), makes a build, and notarized it. When I run the app, I see that SeystemExtension is running (activity monitor), PacketTunnelProvider successfully connects to the VPN server (logs and “connected” status in the macOS SystemPreferences), but traffic is locked. I can’t open any websites. First I thought that the problem with DNS, but I can't open any sites via IP too. So I think Mac OS locks socket traffic. Maybe somebody has such an issue and knows how to resolve it. MacOS: 11.4

Hello, I'm keeping on getting a failure when trying to install an App from Samsung Dex. The report says to "disconnect your phone to install" but NO phone is connected. I tried various command line and numerous troubleshooting to reset and refresh some KEXT but still issue exists. Here is the install.log below. What could be the work around this bug? How to reset and proceed with installation? Thank you p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 16.0px 'Helvetica Neue'; color: #262626; -webkit-text-stroke: #262626; background-color: #ffffff} span.s1 {font-kerning: none} 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: @(#)PROGRAM:Install  PROJECT:Install-1000 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: @(#)PROGRAM:Installer  PROJECT:Installer-1020 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Hardware: iMac18,2 @ 3.00 GHz (x 4), 32768 MB RAM 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Running OS Build: macOS 11.4 (20F71) 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: USER=KP 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: __CFBundleIdentifier=com.apple.installer 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: COMMAND_MODE=unix2003 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: LOGNAME=KP 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: PATH=/usr/bin:/bin:/usr/sbin:/sbin 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.LsIZhGSQv0/Listeners 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: SHELL=/bin/zsh 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: HOME=/Users/KP 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: __CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: TMPDIR=/var/folders/d_/hqzchb455m9ct55v66n3n2_w0000gn/T/ 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: XPC_SERVICE_NAME=application.com.apple.installer.1152921500312163432.1152921500312163437 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: XPC_FLAGS=0x0 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Samsung DeX  Installation Log 2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Opened from: /Volumes/Samsung DeX/Install Samsung DeX.pkg 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Package Authoring Error: <background_scaling> has an unsupported MIME type: X-NSObject/NSNumber 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Package Authoring Error: <background_alignment> has an unsupported MIME type: X-NSObject/NSNumber 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Package Authoring Error: has an unsupported MIME type: X-NSObject/NSNumber 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Failed to load specified background image 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Product archive /Volumes/Samsung DeX/Install Samsung DeX.pkg trustLevel=350 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: External component packages (2) trustLevel=350 2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Could not load resource readme: (null) 2021-07-08 19:33:16-04 KPs-iMac Installer[9137]: Installation checks failed. 2021-07-08 19:33:16-04 KPs-iMac Installer[9137]: Installation check failure.  . Disconnect your phone to install..

Hi! I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3. I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift): func requestActivation() { guard case .idle = status else { fatalError("Invalid state") } print("Requesting activation of extension \"\(extensionIdentifier)\"") let req = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifier, queue: DispatchQueue.main) req.delegate = self OSSystemExtensionManager.shared.submitRequest(req) status = .requested } I'm getting an error: OSSystemExtensionErrorDomain error 8: Code Signature Invalid which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out? I'm posting here entitlements and codesign output for my extension and containing application for further information. kdg@admins-Mac-mini SystemExtensions % codesign -d --entitlements - ./com.visicom.VirtualCamera.avextension.systemextension Executable=/Applications/VirtualCamera.app/Contents/Library/SystemExtensions/com.visicom.VirtualCamera.avextension.systemextension/Contents/MacOS/com.visicom.VirtualCamera.avextension [Dict] [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] 6SUWV7QQBJ.com.visicom.VirtualCamera kdg@admins-Mac-mini /Applications % codesign -d --entitlements - ./VirtualCamera.app Executable=/Applications/VirtualCamera.app/Contents/MacOS/VirtualCamera [Dict] [Key] com.apple.developer.system-extension.install [Value] [Bool] true [Key] com.apple.security.app-sandbox [Value] [Bool] true [Key] com.apple.security.application-groups [Value] [Array] [String] 6SUWV7QQBJ.com.visicom.VirtualCamera [Key] com.apple.security.files.user-selected.read-only [Value] [Bool] true kdg@admins-Mac-mini SystemExtensions % codesign -dvvv ./com.visicom.VirtualCamera.avextension.systemextension Executable=/Applications/VirtualCamera.app/Contents/Library/SystemExtensions/com.visicom.VirtualCamera.avextension.systemextension/Contents/MacOS/com.visicom.VirtualCamera.avextension Identifier=com.visicom.VirtualCamera.avextension Format=bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=1553 flags=0x10700(hard,kill,expires,runtime) hashes=37+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=25bd80657bfd6e0ab95467146c7b532817e9e520 CandidateCDHashFull sha256=25bd80657bfd6e0ab95467146c7b532817e9e5209fd50b0cb7ceef40dcfb40e8 Hash choices=sha256 CMSDigest=25bd80657bfd6e0ab95467146c7b532817e9e5209fd50b0cb7ceef40dcfb40e8 CMSDigestType=2 CDHash=25bd80657bfd6e0ab95467146c7b532817e9e520 Signature size=9006 Authority=Developer ID Application: Visicom Media Inc. (6SUWV7QQBJ) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=7 Jul 2022, 21:49:32 Info.plist entries=23 TeamIdentifier=6SUWV7QQBJ Runtime Version=12.3.0 Sealed Resources version=2 rules=13 files=0 Internal requirements count=1 size=200 kdg@admins-Mac-mini /Applications % codesign -dvvv ./VirtualCamera.app Executable=/Applications/VirtualCamera.app/Contents/MacOS/VirtualCamera Identifier=com.visicom.VirtualCamera Format=app bundle with Mach-O universal (x86_64 arm64) CodeDirectory v=20500 size=1989 flags=0x10700(hard,kill,expires,runtime) hashes=51+7 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=31e15fbbd436a67a20c5b58c597d8a4796a67720 CandidateCDHashFull sha256=31e15fbbd436a67a20c5b58c597d8a4796a6772020308fb69f4ee80b4e32788b Hash choices=sha256 CMSDigest=31e15fbbd436a67a20c5b58c597d8a4796a6772020308fb69f4ee80b4e32788b CMSDigestType=2 CDHash=31e15fbbd436a67a20c5b58c597d8a4796a67720 Signature size=9006 Authority=Developer ID Application: Visicom Media Inc. (6SUWV7QQBJ) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=7 Jul 2022, 21:58:09 Info.plist entries=20 TeamIdentifier=6SUWV7QQBJ Runtime Version=12.3.0 Sealed Resources version=2 rules=13 files=4 Internal requirements count=1 size=188 Thanks in advance!

What happens when I try to run my app with the DNS proxy provider in network extension while another app with the same extension is already running? Will it throw an error?

My application installs a system extension. When I try to remove the app from the Applications folder (cmd + backspace) I get an error message: "The operation can’t be completed right now because another operation is in progress, such as moving or copying an item or emptying the Bin." According to systemextensionsctl the extension state is "terminating for uninstall but still running". I can see an error in the console logs: kernelmanagerd Failed to terminate dext com.my.driver-dk, error: Kernel request failed: (os/kern) invalid address (1) sysextd a category delegate declined to terminate extension with identifier: com.my.driver-dk sysextd failed to terminate extension with identifier: com.my.driver-dk: Optional(Error Domain=kernelmanagerd.KMError Code=38 "(null)") Issue occurs with macOS 13 - works fine with macOS 12 and macOS 11 What is the problem here? Have there been any changes in macOS in that regard?

Hello! After submitting two OSSystemExtensionRequest (let's say Endpoint and Network extensions), when the user allows only one (endpoint) extension, we receive request: didFinishWithResult callback for both manager delegates. This leads us to falsely believe that both our extensions are allowed. We tried to prevent this by using propertiesRequestForExtension where our (network) delegate will ask for properties, check if the given extension is enabled and then finish if it's ok. If it's not enabled, however, we receive no second callback when the user allows the other extension. We thought that we would need to submit another OSSystemExtensionRequest for the extension that wasn't allowed to receive a callback when it finally is. However, the second and all other consecutive requests immediately finish and we receive request: didFinishWithResult even when the user does not allow the second extension. Example: Endpoint and Network managers submit OSSystemExtensionRequest User only allows Endpoint extension Endpoint manager checks the properties, finds out it's enabled and finishes Network manager checks the properties, finds out it's disabled Network manager sends another OSSystemExtensionRequest Network manager immediately receives request: didFinishWithResult Network manager checks the properties, finds out it's disabled .... This loop ends when the user finally allows the network extension, when the manager finds out that it's enabled. Is there something we are missing? Shouldn't another OSSystemExtensionRequest finish with requestNeedsUserApproval. How should we go about this issue? Many thanks, Denis

Hi, I am experiencing following crashes intermittently in macOS network extension. Sometime in an hour or two or three. I don't see anywhere references to my project code hence i am unable to understand this crashes. Anyone please point me into right direction from here: Crash Dumps Samples: Process: com.skyhighsecurity.epclient.networkextension [39224] Path: /Library/SystemExtensions/*/com.skyhighsecurity.epclient.networkextension Identifier: com.skyhighsecurity.epclient.networkextension Version: 1.0 (1) Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 0 Date/Time: 2023-03-20 13:46:51.6991 +0530 OS Version: macOS 12.6.3 (21G419) Report Version: 12 Anonymous UUID: 72617D4C-9E91-7141-D71D-9CB5BDADAA25 Sleep/Wake UUID: B462FD28-68B4-4B46-84EB-D16E29760748 Time Awake Since Boot: 32000 seconds Time Since Wake: 5 seconds System Integrity Protection: disabled Crashed Thread: 3 Dispatch queue: NEFilterExtensionProviderContext queue Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000001, 0x0000000182e26104 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace SIGNAL, Code 5 Trace/BPT trap: 5 Terminating Process: exc handler [39224] Application Specific Information: BUG IN CLIENT OF LIBPLATFORM: os_unfair_lock is corrupt Abort Cause 1949042982 Thread 0: 0 libsystem_kernel.dylib 0x182dd5d70 __sigsuspend_nocancel + 8 1 libdispatch.dylib 0x182c5b5e0 _dispatch_sigsuspend + 48 2 libdispatch.dylib 0x182c5b5b0 _dispatch_sig_thread + 60 Thread 1: 0 libsystem_pthread.dylib 0x182e07078 start_wqthread + 0 Thread 2: 0 libsystem_pthread.dylib 0x182e07078 start_wqthread + 0 Thread 3 Crashed:: Dispatch queue: NEFilterExtensionProviderContext queue 0 libsystem_platform.dylib 0x182e26104 _os_unfair_lock_corruption_abort + 88 1 libsystem_platform.dylib 0x182e21184 _os_unfair_lock_lock_slow + 328 2 libsystem_pthread.dylib 0x182e07640 pthread_mutex_destroy + 64 3 Foundation 0x183d7ac18 -[_NSXPCConnectionClassCache dealloc] + 48 4 libobjc.A.dylib 0x182cb7c58 objc_object::sidetable_release(bool, bool) + 260 5 NetworkExtension 0x19148b798 -[NEFilterSocketFlow .cxx_destruct] + 40 6 libobjc.A.dylib 0x182c9d8e4 object_cxxDestructFromClass(objc_object*, objc_class*) + 116 7 libobjc.A.dylib 0x182c94b0c objc_destructInstance + 80 8 libobjc.A.dylib 0x182c94ab8 _objc_rootDealloc + 80 9 NetworkExtension 0x19148246c -[NEFilterDataExtensionProviderContext handleSocketSourceEventWithSocket:] + 132 10 libdispatch.dylib 0x182c481b4 _dispatch_client_callout + 20 11 libdispatch.dylib 0x182c4b670 _dispatch_continuation_pop + 500 12 libdispatch.dylib 0x182c5e8e0 _dispatch_source_invoke + 1596 13 libdispatch.dylib 0x182c4f784 _dispatch_lane_serial_drain + 376 14 libdispatch.dylib 0x182c50404 _dispatch_lane_invoke + 392 15 libdispatch.dylib 0x182c5ac98 _dispatch_workloop_worker_thread + 648 16 libsystem_pthread.dylib 0x182e08360 _pthread_wqthread + 288 17 libsystem_pthread.dylib 0x182e07080 start_wqthread + 8

My customer installed two different apps on his Mac machine. These two apps are using ContentFilter extensions. One of the app is mine and another app is different vendor. If my customer enabled both ContentFilter extensions then he fails to connect immediately to its required destination to allow it to run. If one of the ContentFilter extension is disabled then there is no issue. Is it not possible to run two different ContentFilter extensions on same Mac machine? Is there any way to fix these type of issues? Thank You Nagendra R

Perhaps this could be repetitive or basic question but I have implemented following code of NEDNSProxyProvider. My basic requirement is I want to process the flow but instead of using data from datagrams I want to use data received from our custom DNS server. After tons of articles documentation Im able to write following code. But it's failing continuously in writeDataGrams with "Invalid arguments data" and "The operation could not be completed because Flow not connected". I know somethings is wrong in processing the data but what is wrong Im not able to figure out. Also I want to know is this even possible to achieve this by using API call inside datagrams for loop and then send data to writedatagrams? After getting JSONResponse Im using third party library to convert query form JSONData binary before sending it to writeDataGrams. https://github.com/Bouke/DNS override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool { NSLog("DNSProxyProvider: handleFlow") var handled: Bool = false if #available(iOSApplicationExtension 14.2, *) { hostName = flow.remoteHostname! } if let udpFlow = flow as? NEAppProxyUDPFlow { udpFlow.open(withLocalEndpoint: udpFlow.localEndpoint as? NWHostEndpoint) { error in if error == nil { self.flowOut(flow as! NEAppProxyUDPFlow) } else { NSLog("Error in opening Flow") } } handled = true } else { handled = false NSLog("Unsupported Flow") } return handled } /* Read From flow, then write to remote endpoint. */ private func flowOut(_ flow: NEAppProxyUDPFlow) { flow.readDatagrams(completionHandler: { (datagrams, endpoints, error) in self.proxyUDPFlow = flow if error != nil { NSLog("ERROR: 'readDatagramsWithCompletionHandler' failed with: \(String(describing: error?.localizedDescription))") return } if datagrams?.count == 0 { flow.closeReadWithError(error) flow.closeWriteWithError(error) return } guard let dataArray = datagrams else { return } if #available(iOSApplicationExtension 14.2, *) { for (index, data) in dataArray.enumerated() { var hostEndPoint: NWHostEndpoint = endpoints?[index] as! NWHostEndpoint hostEndPoint = NWHostEndpoint(hostname: hostEndPoint.hostname, port: hostEndPoint.port) guard let hostname = flow.remoteHostname else { return } let dNSRequest = self.configureDNSRequest(hostname) let urlsession = URLSession.shared.dataTask(with: dNSRequest) { data, response, error in if let data = data { do { let reply = try JSONDecoder().decode(JSONReply.self, from: data) let requestQuery = Message( type: .response, questions: [ Question(name: reply.questions[0].name, type: .pointer) ]) let requestData = try requestQuery.serialize() self.flowIn(responsdata: requestData, flow, endpoint: hostEndPoint) } catch let error { print("error \(error)") } } } urlsession.resume() } } }) } private func flowIn(responsdata: Data, _ flow: NEAppProxyUDPFlow, endpoint: NWHostEndpoint) { let resultData = Data(responsdata) flow.writeDatagrams([resultData], sentBy: [endpoint], completionHandler: { error in // Flow not connected if error != nil { os_log("Error in resolving query \(error)") self.logger.log("error => \(error)") } else { self.proxyUDPFlow?.closeReadWithError(error) self.proxyUDPFlow?.closeWriteWithError(error) } }) } private func configureDNSRequest(_ hostName: String) -> URLRequest { var urlComponents = URLComponents() urlComponents.scheme = "https" urlComponents.host = “customserver.com" urlComponents.path = “/resolverquery" urlComponents.queryItems = [ URLQueryItem(name: "name", value: hostname), URLQueryItem(name: "type", value: "A") ] guard let url = urlComponents.url else { assert(false) } var request = URLRequest(url: url) request.httpMethod = "GET" request.setValue(“xyzabcd”, forHTTPHeaderField: "Client-ID") request.setValue("*/*", forHTTPHeaderField: "Accept") request.setValue("keep-alive", forHTTPHeaderField: "Connection") request.setValue("application/json", forHTTPHeaderField: "Content-Type") return request } } extension Data { func object<T>(at index: Index = 0) -> T { subdata(in: index..<self.index(index, offsetBy: MemoryLayout<T>.size)) .withUnsafeBytes { $0.load(as: T.self) } } }

Hi, When trying to activate a PacketTunnelProvider Network Extension in X-code on MacOS 13.3.1 (a) I get the following system logs: default 22:43:43.440691-0700 PacketTunnel Metal API Validation Enabled error 22:43:43.571295-0700 kernel Sandbox: PacketTunnel(46998) deny(1) mach-lookup com.apple.sysextd default 22:43:43.581295-0700 PacketTunnel ExtensionManager didFailWithError The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 1.) Here is the Delegate I'm using: import Foundation import SystemExtensions import os.log class ExtensionManager : NSObject, OSSystemExtensionRequestDelegate { let identifier = "xx.xxxxxxx.PacketTunnel.PacketTunnelProvider" static let shared = ExtensionManager() static let log = OSLog(subsystem: "xx.xxxxxxx.PacketTunnel", category: "ExtensionManager") private let log: OSLog public override init() { self.log = Self.log os_log(.debug, log: self.log, "init") super.init() } func activate() { let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: identifier, queue: .main) activationRequest.delegate = self OSSystemExtensionManager.shared.submitRequest(activationRequest) } func deactivate() { let activationRequest = OSSystemExtensionRequest.deactivationRequest(forExtensionWithIdentifier: identifier, queue: .main) activationRequest.delegate = self OSSystemExtensionManager.shared.submitRequest(activationRequest) } func request(_ request: OSSystemExtensionRequest, actionForReplacingExtension existing: OSSystemExtensionProperties, withExtension replacement: OSSystemExtensionProperties) -> OSSystemExtensionRequest.ReplacementAction { os_log("ExtensionManager actionForReplacingExtension %@ %@", existing, replacement) return .replace } func requestNeedsUserApproval(_ request: OSSystemExtensionRequest) { os_log("ExtensionManager requestNeedsUserApproval") } func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) { os_log("ExtensionManager didFinishWithResult %@", result.rawValue) } func request(_ request: OSSystemExtensionRequest, didFailWithError error: Error) { os_log("ExtensionManager didFailWithError %@", error.localizedDescription) } } And I'm running it via a basic View: import SwiftUI let minWidth: CGFloat = 180 let minHeight: CGFloat = 400 struct ContentView: View { var body: some View { VStack { Button(action: ExtensionManager.shared.activate) { Text("Activate") } Button(action: ExtensionManager.shared.deactivate) { Text("Deactivate") } Button(action: TunnelConfigurationService.shared.configure) { Text("Configure") } Button(action: TunnelConfigurationService.shared.start) { Text("Start") } } .padding() .frame(minWidth: minWidth, maxWidth: .infinity, minHeight: minHeight, maxHeight: .infinity) } } struct ContentView_Previews: PreviewProvider { static var previews: some View { ContentView() } } Any Ideas how to debug this further? I'm not sure how to proceed. Cheers