Is it possible to distribute a macOS Network Extension app outside the Mac AppStore without having to use a System Extension?

In reference to this related question: forum question 678260

I have an application that is codesigned and notarized to install a VPN extension using the NextworkExtension plugin. It works great in Xcode in debug.

In release builds that are notarized the network extension is rejected when I try to load it. The only way we were able to get the extension to load is by going through the system extension API.

**Quinn, is it possible to distribute Developer ID-signed apps that install NetworkExtension components outside the App Store without having to use System Extension? **

The 4 UIs that the user has to jump through to allow System Extensions is going to be a huge problem for non-technical user base.

CONSOLE output when installed from a notarized pkg:

NEVPNTunnelPlugin(com.foo.bar[inactive]): Validation of the extension failed

and

Provider com.foo.bar validation failed: Error Domain=NEFilterErrorDomain Code=1 "(null)"

Up vote post of gordonfrommilton Down vote post of gordonfrommilton
255 views
Posted by
gordonfrommilton
Reply
Add a Comment

Accepted Reply

I will let Quinn weigh in here but I just wanted to mention that if your are distributing a NEPacketTunnelProvider via Developer ID you will need to use a Network System Extension.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved

  • Matt, didn't mean to single out Quinn per se, I've seen you here quite a bit as well. Thanks to both of you for your responses. That's unfortunate (because of the UI hurdles for users), but at least I know I'm wasting time going down this path.

    gordonfrommilton

  • Yeah, what Matt said (-: He's been handling most networking questions for DTS these past few years and I'm super grateful for that.

    eskimo

  • I appreciate it, Quinn.

    gordonfrommilton
Add a Comment

Replies

I will let Quinn weigh in here but I just wanted to mention that if your are distributing a NEPacketTunnelProvider via Developer ID you will need to use a Network System Extension.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Post marked as solved

  • Matt, didn't mean to single out Quinn per se, I've seen you here quite a bit as well. Thanks to both of you for your responses. That's unfortunate (because of the UI hurdles for users), but at least I know I'm wasting time going down this path.

    gordonfrommilton

  • Yeah, what Matt said (-: He's been handling most networking questions for DTS these past few years and I'm super grateful for that.

    eskimo

  • I appreciate it, Quinn.

    gordonfrommilton
Add a Comment