Content Filter Simple Firewall is not running by signing Provisional certificate

Question

Created Sep ’20

Replies 3

Boosts 0

Participants 3

Hi,

I have took Content Filter Simple Firewall example from Apple site and modified as per my requirement and I able to compile & run with my developer id account.

Here I had signing settings as below at Build Settings:

Code Signing Identity -> Apple Developer
Development Team -> <My Team ID>
Provisional Profile -> Automatic

Now I want to change the signing procedure with help of new provisional certificate without developer account.

For this, We have created & downloaded provisional certificate and I have modified as below at Build Settings:

Code Signing Identity -> Placed Empty value
Development Team -> Placed Empty value
Provisional Profile -> Automatic

And we are running a script as below for code signing from Build Phases section.

Code Block cp "$PROJECT_DIR/install/MacDistribution_NetworkExtension.provisionprofile" "$TARGET_BUILD_DIR/$WRAPPER_NAME/Contents/embedded.provisionprofile"
touch "$TARGET_BUILD_DIR/$WRAPPER_NAME"
codesign -vfs "Developer ID Application: Test, Inc. (ABCDEFGH)" --entitlements "$PROJECT_DIR/install/dgnetopsfilter.plist" --timestamp "$TARGET_BUILD_DIR/$WRAPPER_NAME"

My application å extension is compiled But my app is not asking for permissions for registration and my network extension is not running.

How to compile and run Content Filter Simple Firewall with provisional certificate? Please help me.

I have a doubt, Is Code Signing with Apple Development mandatory to run Content Filters?

Boost

Answer 1

Systems Engineer OP

Apple

Sep ’20

Now I want to change the signing procedure with help of new provisional certificate without developer account.

How to compile and run Content Filter Simple Firewall with provisional certificate? Please help me.

I have a doubt, Is Code Signing with Apple Development mandatory to run Content Filters?

A few things to check:

1) If you are using a brand new certificate and provisioning profile for your signing script, first verify that these assets work in the automatic process in Xcode first.

2) When signing with Developer ID, make sure that the provisioning profile entitlements match the container app entitlements for the Network System Extensions. When signing with Developer ID -systemextension is added to each of the entitlements for the network extension with the Developer ID associated provisioning profile, for example (content-filter-provider-systemextension). If this is not there in the container app, add the same to your entitlements file and retry on a fresh VM.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

nrednam OP

Sep ’20

It is working with the automatic process in Xcode. Any other steps to verify through script? Please help.

0

Answer 3

Systems Engineer OP

Apple

Oct ’20

It is working with the automatic process in Xcode. Any other steps to verify through script? Please help.

codesign -vfs "Developer ID Application: Test, Inc. (ABCDEFGH)"

For automatic signing, this will work. However that author is using Developer Id to sign the Content Filter and this does require manual signing. In Xcode when manual signing is setup is where this issue presents itself. Please verify the entitlements for the manually signing process.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0