App Not starting: Termination Reason: Namespace CODESIGNING, Code 0x1

Hi,
I am writing a "Network Extension" (NEPacketTunnelProvider) app for macos. I am using "Developer ID" signing for my Macos app. But it crashes after I start it on my mac. I have already gone through the notarization.

Thanks



Time Awake Since Boot: 13000 seconds
Time Since Wake: 11000 seconds

System Integrity Protection: enabled

Crashed Thread: 0

Exception Type: EXCCRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC
CORPSENOTIFY

Termination Reason: Namespace CODESIGNING, Code 0x1

kernel messages:

VM Regions Near 0 (cr2):
  • ->

TEXT 0000000104aaa000-0000000104b32000 [ 544K] r-x/r-x SM=COW

Thread 0 Crashed:
0 @Z 0x000000010ddb9000
dyld_start + 0

Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000
rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffeeb155b70
r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000
rip: 0x000000010ddb9000 rfl: 0x0000000000000200 cr2: 0x0000000000000000

Logical CPU: 0
Error Code: 0x00000000
Trap Number: 0

Answered by DTS Engineer in 642319022
Crashing like this usually indicates an entitlement problem, that is, your code was signed with some entitlements that are not in the allowlist in your provisioning profile. You should dump these two things and check that every entitlement you use is either allowed universally (things like com.apple.security.app-sandbox) or is in your profile’s allowlist:

Code Block
% codesign -d --entitlements :- MyContainerApp.app/Contents/Library/SystemExtensions/com.example.MyPacketTunnelProvider.systemextension
% security cms -D -i MyContainerApp.app/Contents/Library/SystemExtensions/comcom.example.MyPacketTunnelProvider.systemextension/Contents/embedded.provisionprofile


IMPORTANT When you distribute via Developer ID your NE provider must be a sysex rather than an appex. That means you must use the -systemextension variants of the Network Extension entitlement.

ps You can use triple backticks to format text as a code block, which makes it much easier to read.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Accepted Answer
Crashing like this usually indicates an entitlement problem, that is, your code was signed with some entitlements that are not in the allowlist in your provisioning profile. You should dump these two things and check that every entitlement you use is either allowed universally (things like com.apple.security.app-sandbox) or is in your profile’s allowlist:

Code Block
% codesign -d --entitlements :- MyContainerApp.app/Contents/Library/SystemExtensions/com.example.MyPacketTunnelProvider.systemextension
% security cms -D -i MyContainerApp.app/Contents/Library/SystemExtensions/comcom.example.MyPacketTunnelProvider.systemextension/Contents/embedded.provisionprofile


IMPORTANT When you distribute via Developer ID your NE provider must be a sysex rather than an appex. That means you must use the -systemextension variants of the Network Extension entitlement.

ps You can use triple backticks to format text as a code block, which makes it much easier to read.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Could you please share a link to a list of all universally allowed entitlements for macOS application.

AFAIK there is no official documentation about that (r. 69883803). As someone who supports Mac code signing I can tell you that this is an ongoing source of frustration )-: You can find my latest thinking on this topic in the Entitlements on the Mac section of What exactly is a provisioning profile?.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Please share if there are any other threads in this codesign series

If you go to my profile and select the Questions tab, you’ll find links to all my locked posts, most of which are related to code signing and other low-level stuff.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

App Not starting: Termination Reason: Namespace CODESIGNING, Code 0x1
 
 
Q