How to distribute MacOS Network Extension App for beta testing ?

Question

Created Apr ’21

Replies 8

Boosts 0

Views 1.6k

Participants 2

I need help. I want to distribute my MacOS App outside of App Store. My MacOS App uses Network Extension framework. I created a provisioning profile in my apple developer portal with the Bundle ID. I have the Network Extension checked. I downloaded the provisioning profile and installed it via XCode Sign & Capabilities Release tab for that Bundle ID. But it never matches my app's release entitlement (see below). Hence, I cannot distribute my MacOS App. How can I do to distribute my MacOS for beta testing ?

My Release Entitlement looks like this:

Code Block <key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>packet-tunnel-provider</string>
	</array>

Decoding the downloaded provisioning profile, it shows 'system extension' suffix ?? even though my Bundle ID only checked 'network extension'.

% security cms -D -i so_and_so.provisionprofile

Code Block 	<key>Entitlements</key>
	<dict>
				<key>com.apple.developer.system-extension.install</key>
		<true/>	<key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>packet-tunnel-provider-systemextension</string>
				<string>app-proxy-provider-systemextension</string>
				<string>content-filter-provider-systemextension</string>
				<string>dns-proxy-systemextension</string>
				<string>dns-settings</string>

Answered by rzulkarn in 670974022

this thread seems relevant, any thought? https://developer.apple.com/forums/thread/128767 --> In any case, it looks like this precise definition including keychain.access.group makes the error message "invalid application signature or incorrect provisioning profile" disappear.

Boost

Answer 1

rzulkarn OP

Apr ’21

I think this forum answer my question: https://developer.apple.com/forums/thread/67613. Thanks.

0

Answer 2

rzulkarn OP

Apr ’21

After adding <string>packet-tunnel-provider-systemextension</string> in the Packet Tunnel Release Entitlement, the errors coming from provisioning profile is fixed. I encounters another problem with launching the Packet Tunnel process.

I have 2 Bundle IDs, one for the main apps, one for the Packet Tunnel. I have created 2 provisioning profiles from my apple developer portal and install them in my Xcode. I am able to build within Xcode and run the main app. I can't launch the Packet Tunnel process. It gives this error: Signature check failed: code failed to satisfy specified code requirement(s).

0

Answer 3

DTS Engineer OP

Apple

Apr ’21

It seems likely that the allowlist in your provisioning profile doesn’t cover all the entitlements claimed by your sysex. You should dump both and see if there’s an obvious problem.

Code Block  % security cms -D -i /path/to/your.app/Contents/Library/SystemExtensions/your.sysex/Contents/embedded.provisionprofile
% codesign -d --entitlements :- /path/to/your.app/Contents/Library/SystemExtensions/your.sysex

IMPORTANT It’s critical that you dump your built product because that’s what the system actually looks at. Your .entitlements file is only one input to the build process. Similarly, you should dump the contents of the sysex that’s embedded in your app, not the sysex that’s an intermediate build product.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

rzulkarn OP

Apr ’21

Checked embedded.provisioning vs. the entitlement file. I am not using app-proxy, content-filter, dns-proxy and dns-settings in my code. Hence my entitlement file only contain packet-tunnel. So I added these to match what's in embedded.provisioning. But still getting the same errors. See logs below.

default 06:49:25.248754-0700 trustd Entitlement com.apple.application-identifier=[TEAM_ID].[BUNDLE_ID_EXTENSION] is ignored because of invalid application signature or incorrect provisioning profile
default 06:49:25.251770-0700 [APP.SYSEX] Signature check failed: code failed to satisfy specified code requirement(s)
default 06:49:25.252368-0700 neagent Extension request with extension [BUNDLE_ID_SYSEX] started with identifier [A-B-C-D-E]
error 06:49:25.262991-0700 neagent Provider [CONTAINER_APP] validation failed: Error Domain=NEFilterErrorDomain Code=1 "(null)"
error 06:49:25.263123-0700 nesessionmanager NEVPNTunnelPlugin([BUNDLE_ID][inactive]): Validation of the extension failed

% security cms -D -i embedded.provisionprofile
<key>Entitlements</key>
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
<string>dns-settings</string>
</array>
<key>com.apple.application-identifier</key>
<string>[TEAM_ID].[BUNDLE_ID_SYSEX]</string>
<key>keychain-access-groups</key>
<array>
<string>[TEAM_ID].*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>[TEAM_ID]</string>
</dict>

% codesign -d --entitlements :- APP.SYSEX
Executable= ../Build/Products/Release/APP.SYSEX/Contents/MacOS/APP.SYSEX
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>[TEAM_ID].[BUNDLE_ID_SYSEX]</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>packet-tunnel-provider-systemextension</string>
<string>app-proxy-provider-systemextension</string>
<string>content-filter-provider-systemextension</string>
<string>dns-proxy-systemextension</string>
<string>dns-settings</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>[TEAM_ID]</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array/>
<key>com.apple.security.get-task-allow</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>
</dict>
</plist>

0

Answer 5

rzulkarn OP

Apr ’21

There are 3 embedded provisionprofiles under Build/Products/Release:

% find . -name *.provision*
./Build/Products/Release/[MYAPP].app/Contents/PlugIns/[MY_TUNNEL_APP].appex/Contents/embedded.provisionprofile
./Build/Products/Release/[MYAPP].app/Contents/embedded.provisionprofile
./Build/Products/Release/[MY_TUNNEL_APP].appex/Contents/embedded.provisionprofile

@eskimo this is different than what you specify above. Hope this is OK.
/path/to/your.app/Contents/Library/SystemExtensions/your.sysex/Contents/

@eskimo, these properties do not exists in my provisionprofile.
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array/>
<key>com.apple.security.get-task-allow</key>
<true/>
<key>com.apple.security.network.client</key>
<true/>
<key>com.apple.security.network.server</key>
<true/>

0

Answer 6

rzulkarn OP

Apr ’21

Accepted Answer

this thread seems relevant, any thought? https://developer.apple.com/forums/thread/128767 --> In any case, it looks like this precise definition including keychain.access.group makes the error message "invalid application signature or incorrect provisioning profile" disappear.

0

Answer 7

rzulkarn OP

Apr ’21

I am still getting this error: "Signature check failed: code failed to satisfy specified code requirement(s)" -- even after notarizing my apps (with the tunnel plugins). Any help would be appreciate it.

0

Answer 8

rzulkarn OP

Apr ’21

https://github.com/tailscale/tailscale/issues/718 <- this thread seems to imply that for now its a dead-end to use Developer ID for distribution appex. Migrating to sysex is inevitable.

0