Code signature validation failed fatally

Question

Created Nov ’20

Replies 1

Boosts 0

Participants 2

seeing this error when I am trying to install my network extension:

macvnodecheck_signature: /Applications/PetraNat.app/Contents/MacOS/PetraNat: code signature validation failed fatally: When validating /Applications/PetraNat.app/Contents/MacOS/PetraNat:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:

It was installed normally in the build environment,
In a MAC PC other than the build environment, the above error message occurs and the installation fails.

I saw the comments you left on the apple developer forum

$codesign -d --entitlements :- /Applications/PetraNat.app
<dict>
<key>com.apple.application-identifier</key>
<string>VAAXCYD42V.com.Sinsiway.PetraNat</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>VAAXCYD42V</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>VAAXCYD42V.com.Sinsiway.PetraNat</string>
</array>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>com.apple.security.get-task-allow</key>
<true/>
<key>com.apple.security.temporary-exception.files.absolute-path.read-only</key>
<string>/</string>
<key>com.apple.security.temporary-exception.mach-lookup.global-name</key>
<array>
<string>com.apple.testmanagerd</string>
<string>com.apple.coresymbolicationd</string>
</array>
</dict>

$security cms -D -i /Applications/PetraNat.app/Contents/embedded.provisionprofile
<key>Entitlements</key>
<dict>

<key>com.apple.developer.system-extension.install</key>
<true/>

<key>com.apple.application-identifier</key>
<string>VAAXCYD42V.com.Sinsiway.PetraNat</string>

<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
<string>dns-settings</string>
</array>

<key>keychain-access-groups</key>
<array>
<string>VAAXCYD42V.*</string>
</array>

<key>com.apple.developer.team-identifier</key>
<string>VAAXCYD42V</string>

</dict>

Do I need to change app-proxy-provider to app-proxy-provider-systemextension in order to install it on another PC?

thanks,

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’20

Do I need to change app-proxy-provider to
app-proxy-provider-systemextension in order to install it on another
PC?

It depends on how you’re signing your app. You have three choices here:

If you’re distributing via the Mac App Store, you can stick with app-proxy-provider. In that case you’d sign your app with a Distribution signing identity and upload it to the store. Other users will then be able to download your app from the store and use it.
If you’re distributing independently, you will need to sign your app with a Developer ID signing identity. That, in turn, requires a switch to app-proxy-provider-systemextension. And that requires that you package your provider as a system extension rather than an app extension (which it sounds like you’re already doing but, if not, that’s a substantial change).
If you just want to distribute your app to a few other users for testing purposes, you can stick with Development signing and add the other user’s Mac’s UUIDs to your provisioning profile.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0