How to sign a Personal VPN app for OS X

My app works great on my machine, but when archiving and running on another mac, I see the following in the log.


May 17 15:37:47 ERIKPE-M-X2VV taskgated[665]: no application identifier provided, can't use provisioning profiles [pid=9579]


May 17 15:37:47 ERIKPE-M-X2VV taskgated[665]: killed com.cisco.UmbrellaDevProfileTest[pid 9579] because its use of the com.apple.developer.networking.vpn.api entitlement is not allowed (error code -67050)


May 17 15:37:47 ERIKPE-M-X2VV com.apple.xpc.launchd[1] (com.cisco.UmbrellaDevProfileTest.217312[9579]): Binary is improperly signed.


I am thinking of using codesign with an --entitlement.


Note: I am not using NEPacketTunnelProvider

Check out this post and my second post later in that thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


I'd like to distribute my Personal VPN app Using Developer ID signature ( not via the Mac App Store ). Do I need to ship/include a provisioning profile? What kind of provisioning profile would I need? When creating a distribution provisioning profile, it looks like it is only for the App Store? The development profile looks like it is for test devices only?


I am trying to sign my app like this:


codesign -f -s "Developer ID Application: OpenDNS" UmbrellaDevProfileTest.app/Contents/MacOS/UmbrellaDevProfileTest


It looks like it is running, but then it cannot save a profile.


I see this:


Save error: Error Domain=NEVPNErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied}


I don't have this error when running from xcode or running the app produced under the Products directory. I feel like I am very close. but not there yet :-)


Any more clues would be appreciated


Thanks!

I'd like to distribute my Personal VPN app Using Developer ID signature ( not via the Mac App Store ).

That’s not possible. NEVPNManager is only available to Mac App Store apps.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I was looking at this


https://developer.apple.com/library/tvos/documentation/IDEs/Conceptual/AppDistributionGuide/SupportedCapabilities/SupportedCapabilities.html#//apple_ref/doc/uid/TP40012582-CH38



I guess I was confused because Personal VPN has the following indication for Mac

"Requires an Apple ID associated with an Apple Developer Program membership. For Mac apps, the signing identity must be Mac App Store or Developer ID."


Does use of "Developer ID" imply the ability to distribute outside of the Mac App Store?

I guess I was confused because Personal VPN has the following indication for Mac …

To clarify, in that table you can see two columns, Mac and Mac Developer ID, and the fact that Personal VPN entry for Mac Developer ID is blank is what tells you that this is not possible.

I agree that the text you quoted is misleading; please do file a bug against, and post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hello Eskimo,


Thanks for this insight! I have submitted bug

26579590


My application simply needs to set up a VPN tunnel to our services. It does not even need to be "Per App Style" I've been looking for alternative mechanisms. Previously the approach was to modify /Library/Preferences/SystemConfigurationpreferences.plist directly and use networksetup to connect / disconnect. I know it is not encouraged to modify preferences.plist directly. The main reason this was considered unacceptable for us was the constant Pop messages to the user when the tunnel went up and down. Is there a way to shut down these notifications for a particular service? I notice using the NEVPNManager, it plays well with other VPNs so it is not a problem. I noticed using NEVPNManager modifies com.apple.networkextension.plist. Could this be used?


Perhaps using Configuration Profiles is the way to go? Is there a recommended way to install programatically?


Is System Configuration Framework still supported? I could not find the MoreSCF example.


Thanks as always for your help! What time zone are you in?


kind regards,

~erik

Accepted Answer

First up, I’m only able to help with supported techniques, so no monkeying around with preferences files directly. However, it’s useful to understand these preferences files because they impact on how the API is structured. Specifically,

/Library/Preferences/SystemConfiguration/preferences.plist
is fronted by the SCPreferences API; almost everything in that file can be changed in a supported way via that API. OTOH,
/Library/Preferences/com.apple.networkextension.plist
and its friends are less accessible. To understand this, you have to understand a little bit about the history of System Configuration framework.

Way back in the day, at the dawn of Mac OS X, when dial-up networking was still a thing, there was only

preferences.plist
. You could create dial-up interfaces using SCPreferences and control them using SCNetworkConnection. Life was good.

Eventually things got more complex. First, VPN was introduced, piggybacking on the dial-up infrastructure (which makes sense when you think about early VPNs, like PPTP). Second, both dial-up and VPN got the notion of sub-configurations that were independent of the interface configuration. These were modelled outside of the SCPreferences world partly because, at least in the VPN space, such configurations are both complex and interface-specific.

Historically there’s been no API-level access to these VPN configurations. It was still possible to set up VPN via SCPreferences and control it via SCNetworkConnection, but it [wasn’t much fun][nofun] and you definitely couldn’t get to all the features.

Network Extension framework represents the ultimate solution to this. It’s not what folks really want (which is an API that gives them total control) but it is what we can give you given the direction our platforms are moving (with sandboxing, privacy concerns, and so on). Unless we change direction here your options are:

  • play in the Network Extension sandbox, which is where all the new cool stuff is being added

  • try to get things limping along with all the old stuff

I know which approach I’d take (-:

Perhaps using Configuration Profiles is the way to go?

Possibly. Profiles work best in a managed environment, so it kinda depends on the context. And you haven’t really explained much of your context. Why are you distributing via Developer ID?

Is there a recommended way to install programatically?

No. You can install a profile using

profiles
, but I’d hardly call that recommended.

Is System Configuration Framework still supported?

Yes.

I could not find the MoreSCF example.

The sample has been retired because its primary focus was setting up the network, and it uses the low-level SCPreferences API to do that. With the introduction of

<SystemConfiguration/SCNetworkConfiguration.h>
in 10.4, that approach was no longer recommended. And, alas, I’ve never had time to update the sample.

What time zone are you in?

GMT+1 (although I’ll be GMT+7 next week and the week after).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 13 Jun through to Fri, 17 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face. http://developer.apple.com/wwdc/

How to sign a Personal VPN app for OS X
 
 
Q