Network System Extension upgrade issue

App & System Services Drivers
rg1985 OP
Created Jun ’22
Replies 12
Boosts 0
Views 2.1k
Participants 4

We are trying to update the network system extension on macOS12.4. But sysextd is crashing and failing to update the system extension. I am sharing the sysextd logs and crash report here:

sysextd console logs:

default	12:11:04.271584+0530	sysextd	sysextd started

default	12:11:04.271980+0530	sysextd	$HOME not set, falling back to using getpwuid

default	12:11:04.289499+0530	sysextd	creating staging area

default	12:11:04.298132+0530	sysextd	restoring state from extensions DB
    previous boot UUID: 39D782BA-2A6A-4F3C-925F-7AFF5D76E29D
    current boot UUID: 39D782BA-2A6A-4F3C-925F-7AFF5D76E29D
    rebooted: false

default	12:11:04.298474+0530	sysextd	extension db entry for my.sysext.bundleid/teamID("ABC"), version 4.3.2.123, in state: activated_enabled

default	12:11:04.298532+0530	sysextd	extension my.sysext.bundleid/teamID("ABC") version 4.3.2.123 now in state activated_enabled

default	12:11:04.298557+0530	sysextd	state restoration from extensions DB completed

error	12:11:04.299143+0530	sysextd	cannot open file at line 45530 of [9ff244ce07]

error	12:11:04.299174+0530	sysextd	os_unix.c:45530: (2) open(/var/db/DetachedSignatures) - No such file or directory

default	12:11:04.306484+0530	sysextd	TrustSettingsUseXPC is enabled (via feature flags)

default	12:11:04.307080+0530	sysextd	Received configuration update from daemon (initial)

default	12:11:04.317081+0530	sysextd	upgrading connection to nsxpc

default	12:11:04.318100+0530	sysextd	client activation request for my.sysext.bundleid

default	12:11:04.318135+0530	sysextd	attempting to realize extension with identifier my.sysext.bundleid

default	12:11:04.327337+0530	sysextd	realizing target path: 
file:///Applications/SampleGUI.app/Contents/Applications/SampleSysExtHost.app/Contents/Library/SystemExtensions/my.sysext.bundleid.systemextension/

default	12:11:04.327606+0530	sysextd	bundle class: UncachedBundle

default	12:11:04.335845+0530	sysextd	retrieved bundle code signing info: SecStaticCodeSigningInfo(entitlements: ["com.apple.security.get-task-allow": 0, "com.apple.developer.networking.networkextension": <__NSArrayM 0x7f7da120cd70>(
app-proxy-provider-systemextension
)
, "com.apple.security.application-groups": <__NSArrayM 0x7f7da120e940>(
ABC.com.test.appgroup
)
, "com.apple.developer.team-identifier": ABC, "com.apple.application-identifier": ABC.my.sysext.bundleid], teamID: sysextd.TeamIDType.teamID("ABC"), cdHashes: ["5d5223c9a86070d542c0ca014f259f0d36e390e0": sysextd.ArchInfo(name: "x86_64", cputype: 16777223, cpusubtype: 3)], signingIdentifier: "my.sysext.bundleid”)

default	12:11:04.335938+0530	sysextd	/Applications/SampleGUI.app/Contents/Applications/SampleSysExtHost.app/Contents/Library/SystemExtensions/my.sysext.bundleid.systemextension: package type not `DEXT`

default	12:11:04.335985+0530	sysextd	/Applications/SampleGUI.app/Contents/Applications/SampleSysExtHost.app/Contents/Library/SystemExtensions/my.sysext.bundleid.systemextension: entitlement `com.apple.developer.endpoint-security.client` not present or not true

default	12:11:04.336046+0530	sysextd	activateDecision found existing entry of same version: state activated_enabled, ID D888D9B7-53B5-4728-9C16-E3294A73BA3F

default	12:11:04.336103+0530	sysextd	initial activation decision: requestAppReplaceAction()

default	12:11:04.336127+0530	sysextd	notifying client of activation conflict

default	12:11:04.337141+0530	sysextd	client approved continuing upgrade for my.sysext.bundleid

default	12:11:04.337215+0530	sysextd	attempting to realize properties with identifier my.sysext.bundleid

default	12:11:04.337300+0530	sysextd	UNIX error exception: 3

default	12:11:04.340020+0530	sysextd	UNIX error exception: 3

default	12:11:04.344399+0530	sysextd	sysextd/daemon_ipc_nsxpc.swift:16: Fatal error: unable to extract client info from connection

default	12:11:04.344611+0530	kernel	AMFI: Denying core dump for pid 806 (sysextd)

default	12:11:04.344747+0530	kernel	sysextd[806] Corpse allowed 1 of 5

default	12:11:04.350974+0530	ReportCrash	ASI found [libswiftCore.dylib] (sensitive) 'sysextd/daemon_ipc_nsxpc.swift:16: Fatal error: unable to extract client info from connection
'
default	12:11:04.424379+0530	ReportCrash	Formulating fatal 309 report for corpse[806] sysextd

default	12:11:04.426959+0530	ReportCrash	no MetricKit for process sysextd type 309 bundleId (null)

default	12:11:04.427100+0530	ReportCrash	Sending event: com.apple.stability.crash {"exceptionCodes":"0x0000000000000001, 0x0000000000000000(\n    1,\n    0\n)EXC_BAD_INSTRUCTIONSIGILL","incidentID":"26D75F7D-3F0C-4FE3-B5CD-3A83E7A02FE7","logwritten":0,"process":"sysextd","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"SIGNAL”}

default	12:11:04.427228+0530	analyticsd	Received event: com.apple.stability.crash {"exceptionCodes":"0x0000000000000001, 0x0000000000000000(\n    1,\n    0\n)EXC_BAD_INSTRUCTIONSIGILL","incidentID":"26D75F7D-3F0C-4FE3-B5CD-3A83E7A02FE7","logwritten":0,"process":"sysextd","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"SIGNAL”}

default	12:11:04.427355+0530	analyticsd	Aggregated. Transform: StabilityCrashNumerator3WithBundleVersion Dirty: 1 Event: com.apple.stability.crash {"exceptionCodes":"0x0000000000000001, 0x0000000000000000(\n    1,\n    0\n)EXC_BAD_INSTRUCTIONSIGILL","incidentID":"26D75F7D-3F0C-4FE3-B5CD-3A83E7A02FE7","logwritten":0,"process":"sysextd","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"SIGNAL","timestamp":1655880064427052}

default	12:11:04.427453+0530	analyticsd	Aggregated. Transform: StabilityCrashNumerator3WithIncidentID Dirty: 1 Event: com.apple.stability.crash {"exceptionCodes":"0x0000000000000001, 0x0000000000000000(\n    1,\n    0\n)EXC_BAD_INSTRUCTIONSIGILL","incidentID":"26D75F7D-3F0C-4FE3-B5CD-3A83E7A02FE7","logwritten":0,"process":"sysextd","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"SIGNAL","timestamp":1655880064427052}

default	12:11:04.427561+0530	analyticsd	Aggregated. Transform: StabilityCrashNumerator3 Dirty: 1 Event: com.apple.stability.crash {"exceptionCodes":"0x0000000000000001, 0x0000000000000000(\n    1,\n    0\n)EXC_BAD_INSTRUCTIONSIGILL","incidentID":"26D75F7D-3F0C-4FE3-B5CD-3A83E7A02FE7","logwritten":0,"process":"sysextd","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"SIGNAL","timestamp":1655880064427052}

sysextd crash report:

{"app_name":"sysextd","timestamp":"2022-06-21 18:22:30.00 +0530","app_version":"","slice_uuid":"c9ca5a04-69ed-3d7b-951e-d39adaf86d26","build_version":"","platform":1,"share_with_app_devs":0,"is_first_party":1,"bug_type":"309","os_version":"macOS 12.4 (21F79)","incident_id":"4230BB5E-3A22-48C9-999D-56E4E23C9D2A","name":"sysextd"}
{
  "uptime" : 1600,
  "procLaunch" : "2022-06-21 18:22:30.0390 +0530",
  "procRole" : "Unspecified",
  "version" : 2,
  "userID" : 0,
  "deployVersion" : 210,
  "modelCode" : "MacBookPro16,2",
  "procStartAbsTime" : 1661312220806,
  "coalitionID" : 211,
  "osVersion" : {
    "train" : "macOS 12.4",
    "build" : "21F79",
    "releaseType" : "User"
  },
  "captureTime" : "2022-06-21 18:22:30.1240 +0530",
  "incident" : "4230BB5E-3A22-48C9-999D-56E4E23C9D2A",
  "bug_type" : "309",
  "pid" : 1214,
  "procExitAbsTime" : 1661396780665,
  "cpuType" : "X86-64",
  "procName" : "sysextd",
  "procPath" : "\/System\/Library\/Frameworks\/SystemExtensions.framework\/Versions\/A\/Helpers\/sysextd",
  "parentProc" : "launchd",
  "parentPid" : 1,
  "coalitionName" : "com.apple.sysextd",
  "crashReporterKey" : "492561C8-C69A-A8BF-3340-633DA3ABC374",
  "bridgeVersion" : {"build":"19P5071","train":"6.5"},
  "sip" : "enabled",
  "isCorpse" : 1,
  "exception" : {"codes":"0x0000000000000001, 0x0000000000000000","rawCodes":[1,0],"type":"EXC_BAD_INSTRUCTION","signal":"SIGILL"},
  "termination" : {"flags":0,"code":4,"namespace":"SIGNAL","indicator":"Illegal instruction: 4","byProc":"exc handler","byPid":1214},
  "extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
  "faultingThread" : 1,
  "threads" : [{"id":23617,"frames":[{"imageOffset":29098,"symbol":"__semwait_signal_nocancel","symbolLocation":10,"imageIndex":0},{"imageOffset":191256,"symbol":"nanosleep$NOCANCEL","symbolLocation":185,"imageIndex":1},{"imageOffset":191013,"symbol":"sleep$NOCANCEL","symbolLocation":41,"imageIndex":1},{"imageOffset":83807,"symbol":"_dispatch_queue_cleanup2","symbolLocation":158,"imageIndex":2},{"imageOffset":17767,"symbol":"_pthread_tsd_cleanup","symbolLocation":487,"imageIndex":3},{"imageOffset":27529,"symbol":"_pthread_exit","symbolLocation":70,"imageIndex":3},{"imageOffset":17213,"symbol":"pthread_exit","symbolLocation":42,"imageIndex":3},{"imageOffset":65465,"symbol":"dispatch_main","symbolLocation":96,"imageIndex":2},{"imageOffset":37537,"imageIndex":4},{"imageOffset":35065,"imageIndex":4},{"imageOffset":21790,"symbol":"start","symbolLocation":462,"imageIndex":5}]},{"triggered":true,"id":23618,"instructionState":{"instructionStream":{"bytes":[0,0,72,184,0,0,0,0,0,0,0,16,73,133,196,15,132,192,1,0,0,72,131,192,255,76,137,247,72,33,199,72,131,199,32,72,184,255,255,255,255,255,255,0,0,73,33,196,72,131,236,8,68,15,182,69,24,76,137,230,72,139,85,208,72,139,77,16,73,137,217,139,69,40,80,65,85,65,87,232,23,18,0,0,72,131,196,32,76,137,247,232,251,188,48,0,15,11,72,131,236,8,72,141,5,142,177,65,0,72,141,61,91,172,65,0,72,141,13,112,175,65,0,190,11,0,0,0,65,184,57,0,0,0,186,2,0,0,0,65,185,2,0,0,0,106,1,104,148,0,0,0,106,2,106,24,80,232,185,2,0,0,72,131,236,8,72,141,5,110,172,65,0,72,141,61,27,172,65,0,72,141,13,48,172,65,0,190,11,0,0,0],"offset":96}},"threadState":{"r13":{"value":16},"rax":{"value":6659},"rflags":{"value":66182},"cpu":{"value":2},"r14":{"value":9223372041372659616},"rsi":{"value":140572971028944},"r8":{"value":5120},"cr2":{"value":4542619648},"rdx":{"value":4519235080},"r10":{"value":140572971028944},"r9":{"value":140572970975232},"r15":{"value":11},"rbx":{"value":4517897920},"trap":{"value":6},"err":{"value":0},"r11":{"value":140572970975232},"rip":{"value":140703835546181,"matchesCrashFrame":1},"rbp":{"value":123145320475744},"rsp":{"value":123145320475664},"r12":{"value":45},"rcx":{"value":0},"flavor":"x86_THREAD_STATE","rdi":{"value":9223372041372659616}},"queue":"sysextd.extension_manager","frames":[{"imageOffset":205381,"symbol":"_assertionFailure(_:_:file:line:flags:)","symbolLocation":421,"imageIndex":6},{"imageOffset":219139,"imageIndex":4},{"imageOffset":234503,"imageIndex":4},{"imageOffset":221960,"imageIndex":4},{"imageOffset":222063,"imageIndex":4},{"imageOffset":786568,"symbol":"__NSXPCCONNECTION_IS_CALLING_OUT_TO_EXPORTED_OBJECT_S1__","symbolLocation":10,"imageIndex":7},{"imageOffset":436024,"symbol":"-[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:]","symbolLocation":2347,"imageIndex":7},{"imageOffset":135966,"symbol":"message_handler","symbolLocation":206,"imageIndex":7},{"imageOffset":52080,"symbol":"_xpc_connection_call_event_handler","symbolLocation":56,"imageIndex":8},{"imageOffset":47446,"symbol":"_xpc_connection_mach_event","symbolLocation":1413,"imageIndex":8},{"imageOffset":13233,"symbol":"_dispatch_client_callout4","symbolLocation":9,"imageIndex":2},{"imageOffset":114753,"symbol":"_dispatch_mach_msg_invoke","symbolLocation":445,"imageIndex":2},{"imageOffset":37325,"symbol":"_dispatch_lane_serial_drain","symbolLocation":342,"imageIndex":2},{"imageOffset":117623,"symbol":"_dispatch_mach_invoke","symbolLocation":484,"imageIndex":2},{"imageOffset":37325,"symbol":"_dispatch_lane_serial_drain","symbolLocation":342,"imageIndex":2},{"imageOffset":40445,"symbol":"_dispatch_lane_invoke","symbolLocation":366,"imageIndex":2},{"imageOffset":81646,"symbol":"_dispatch_workloop_worker_thread","symbolLocation":753,"imageIndex":2},{"imageOffset":12240,"symbol":"_pthread_wqthread","symbolLocation":326,"imageIndex":3},{"imageOffset":8023,"symbol":"start_wqthread","symbolLocation":15,"imageIndex":3}]},{"id":23619,"frames":[{"imageOffset":29138,"symbol":"__sigsuspend_nocancel","symbolLocation":10,"imageIndex":0},{"imageOffset":83995,"symbol":"_dispatch_sigsuspend","symbolLocation":36,"imageIndex":2},{"imageOffset":83959,"symbol":"_dispatch_sig_thread","symbolLocation":49,"imageIndex":2}]},{"id":23623,"frames":[{"imageOffset":8008,"symbol":"start_wqthread","symbolLocation":0,"imageIndex":3}]},{"id":23625,"frames":[{"imageOffset":8008,"symbol":"start_wqthread","symbolLocation":0,"imageIndex":3}]}],
  "usedImages" : [
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 140703612104704,
    "size" : 229376,
    "uuid" : "61711d11-e776-3bc3-b9a2-6f9f37cb8499",
    "path" : "\/usr\/lib\/system\/libsystem_kernel.dylib",
    "name" : "libsystem_kernel.dylib"
  },
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 140703611088896,
    "size" : 561152,
    "uuid" : "d9ba0660-744d-3f84-9f80-afb51d450512",
    "path" : "\/usr\/lib\/system\/libsystem_c.dylib",
    "name" : "libsystem_c.dylib"
  },
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 140703610548224,
    "size" : 290816,
    "uuid" : "534511b9-b3b0-33a7-b1ea-402595d28bda",
    "path" : "\/usr\/lib\/system\/libdispatch.dylib",
    "name" : "libdispatch.dylib"
  },
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 140703612334080,
    "size" : 49152,
    "uuid" : "bc574849-1aae-31e7-b350-916dda999d97",
    "path" : "\/usr\/lib\/system\/libsystem_pthread.dylib",
    "name" : "libsystem_pthread.dylib"
  },
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 4517269504,
    "size" : 671744,
    "uuid" : "c9ca5a04-69ed-3d7b-951e-d39adaf86d26",
    "path" : "\/System\/Library\/Frameworks\/SystemExtensions.framework\/Versions\/A\/Helpers\/sysextd",
    "name" : "sysextd"
  },
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 4622032896,
    "size" : 442368,
    "uuid" : "b70ce1ec-b902-3852-8268-05de00bfa8d5",
    "path" : "\/usr\/lib\/dyld",
    "name" : "dyld"
  },
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 140703835340800,
    "size" : 4694016,
    "uuid" : "19d7b567-6d0a-356a-8a2b-b45162bd77ab",
    "path" : "\/usr\/lib\/swift\/libswiftCore.dylib",
    "name" : "libswiftCore.dylib"
  },
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 140703627862016,
    "CFBundleShortVersionString" : "6.9",
    "CFBundleIdentifier" : "com.apple.Foundation",
    "size" : 3919872,
    "uuid" : "ceb9e591-a1ad-3ebc-ab8d-410f4ff96307",
    "path" : "\/System\/Library\/Frameworks\/Foundation.framework\/Versions\/C\/Foundation",
    "name" : "Foundation",
    "CFBundleVersion" : "1863"
  },
  {
    "source" : "P",
    "arch" : "x86_64",
    "base" : 140703609421824,
    "size" : 245760,
    "uuid" : "a675716f-f789-3d56-bc4f-8ff2c94e1080",
    "path" : "\/usr\/lib\/system\/libxpc.dylib",
    "name" : "libxpc.dylib"
  }
],
  "sharedCache" : {
  "base" : 140703609077760,
  "size" : 15220686848,
  "uuid" : "398acfb4-57f6-31e0-bc82-e9959e5c92ce"
},
  "vmSummary" : "ReadOnly portion of Libraries: Total=799.9M resident=0K(0%) swapped_out_or_unallocated=799.9M(100%)\nWritable regions: Total=146.4M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=146.4M(100%)\n\n                                VIRTUAL   REGION \nREGION TYPE                        SIZE    COUNT (non-coalesced) \n===========                     =======  ======= \nActivity Tracing                   256K        1 \nDispatch continuations            64.0M        1 \nKernel Alloc Once                    8K        1 \nMALLOC                            72.1M       22 \nMALLOC guard page                   16K        4 \nObjC additional data                15K        1 \nSTACK GUARD                       56.0M        5 \nStack                             10.0M        5 \nVM_ALLOCATE                         12K        3 \n__DATA                            11.5M      209 \n__DATA_CONST                      8516K      147 \n__DATA_DIRTY                       426K       85 \n__FONT_DATA                          4K        1 \n__LINKEDIT                       648.0M        8 \n__TEXT                           151.8M      225 \n__UNICODE                          592K        1 \ndyld private memory               1024K        1 \nmapped file                       29.5M        5 \nshared memory                      576K        5 \n===========                     =======  ======= \nTOTAL                              1.0G      730 \n",
  "legacyInfo" : {
  "threadTriggered" : {
    "queue" : "sysextd.extension_manager"
  }
}
}

I am still working to figure out what is happening right now.

Can somebody help me in resolving this issue?

Replies  12
Boosts  0
Views  2.1k
Participants  4
DTS Engineer OP
Apple
Jun ’22

But sysextd is crashing and failing to update the system extension.

Does this go away if you restart your machine?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
rg1985 OP
Jun ’22

Hi Eskimo, Thanks for your reply.

We still observe the issue even after restart.

Sharing some more information here:

The current output of 'systemextensionsctl list' looks like this (same as before update too)

admin@admins-MacBook-Pro-2 ~ % systemextensionsctl list                                           

1 extension(s) --- com.apple.system_extension.network_extension

enabled active teamID bundleID  (version) name [state]
'* *   ABC my.sysext.bundleid (4.3.2.123/4.3.2.123) MySystemExtension [activated enabled]

Suppose we are trying to update to 4.3.2.567 and it is failing.

0
Systems Engineer OP
Apple
Jun ’22

It looks like sysextd is intentionally calling fatalError because it cannot derive the client information for the incoming XPC connection, in this case the container app.

Thread 1 Crashed::   Dispatch queue: sysextd.extension_manager
0   libswiftCore.dylib   0x7ff82a22e244 _assertionFailure(_:_:file:line:flags:) + 420
1   sysextd              0x10d436802    AbstractFrameworkClient.clientInfo.getter + 226

The client information is derived from the code signature. In these test cases, how is the container app signed?

0
rg1985 OP
Jun ’22

Thanks Matt for the reply. If the code signing is problem, how the installation has been successful? However, for the analysis, I am sharing further information below:

System extension installation location: /Applications/SampleGUI.app/Contents/Applications/SampleSysExtHost.app/Contents/Library/SystemExtensions/my.sysext.bundleid.systemextension

     SampleSysExtHost.app   ===> system extension container app 
     my.sysext.bundleid.systemextension  ===> network system extension.

Please find the container app and system extension code signing and entitlements details in attached file:

ContainerApp codesign output:
devs-iMac:Applications dev$ codesign -d --entitlements - SampleSysExtHost.app

Executable=/Applications/SampleGUI.app/Contents/Applications/SampleSysExtHost.app/Contents/MacOS/SampleSysExtHost




	com.apple.application-identifier
	[Team ID].[APP_ID]
	com.apple.developer.networking.networkextension
	
		app-proxy-provider-systemextension
	
	com.apple.developer.system-extension.install
	
	com.apple.developer.team-identifier
	[Team ID]
	com.apple.security.get-task-allow
	




ContainerApp provisioning profile output:

devs-iMac:Contents dev$ security cms -D -i embedded.provisionprofile 





	AppIDName
	[Profile AppID Name]
	ApplicationIdentifierPrefix
	
	[TEAM_ID]
	
	CreationDate
	[DATE]
	Platform
	
		OSX
	
	IsXcodeManaged
	
	DeveloperCertificates
	
		<data>[DATA]</data>
									
	Entitlements
	
				
				com.apple.developer.system-extension.install
		
				
				com.apple.developer.networking.networkextension
		
				packet-tunnel-provider-systemextension
				app-proxy-provider-systemextension
				content-filter-provider-systemextension
				dns-proxy-systemextension
				dns-settings
		
				
				com.apple.application-identifier
		[TEAM_ID].[APP_ID]
				
				keychain-access-groups
		
				[TEAM_ID].*
		
				
				com.apple.developer.team-identifier
		[TEAM_ID]

	
	ExpirationDate
	[DATE
	Name
	[PROFILE NAME]
	ProvisionsAllDevices
	
	TeamIdentifier
	
		[TEAM_ID]
	
	TeamName
	[TEAM_NAME]
	TimeToLive
	6570
	UUID
	[UUID]
	Version
	1






System extension codesign output:

devs-iMac:SystemExtensions dev$ codesign -d --entitlements - my.sysext.bundleid.systemextension





	com.apple.application-identifier
	[Team ID].[APP_ID]
	com.apple.developer.networking.networkextension
	
		app-proxy-provider-systemextension
	
	com.apple.developer.team-identifier
	[Team ID]
	com.apple.security.application-groups
	
		[Team ID].com.test.appgroup
	
	com.apple.security.get-task-allow
	




System extension provisioning profile output:
devs-iMac:Contents dev$ security cms -D -i embedded.provisionprofile





	AppIDName
	[NAME]
	ApplicationIdentifierPrefix
	
	[TEAM_ID]
	
	CreationDate
	[DATE]
	Platform
	
		OSX
	
	IsXcodeManaged
	
	DeveloperCertificates
	
		<data>[DATA]</data>
								
	Entitlements
	
				
				com.apple.developer.networking.networkextension
		
				packet-tunnel-provider-systemextension
				app-proxy-provider-systemextension
				content-filter-provider-systemextension
				dns-proxy-systemextension
				dns-settings
		
				
				com.apple.application-identifier
		[TEAM_ID].[APP_ID]
				
				keychain-access-groups
		
				[TEAM_ID].*
		
				
				com.apple.developer.team-identifier
		[TEAM_ID]

	
	ExpirationDate
	[DATE]
	Name
	[PROFILE_NAME]
	ProvisionsAllDevices
	
	TeamIdentifier
	
		[TEAM_ID]
	
	TeamName
	[TEAM_NAME]
	TimeToLive
	6570
	UUID
	[UUID]
	Version
	1
0
rg1985 OP
Jun ’22 
Sharing the details again:


**ContainerApp codesign output:**
devs-iMac:Applications dev$ codesign -d --entitlements - SampleSysExtHost.app

Executable=/Applications/SampleGUI.app/Contents/Applications/SampleSysExtHost.app/Contents/MacOS/SampleSysExtHost
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>[TEAM_ID].[APP_ID]</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>app-proxy-provider-systemextension</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.developer.team-identifier</key>
	<string>[TEAM_ID]</string>
	<key>com.apple.security.get-task-allow</key>
	<false/>
</dict>
</plist>


**ContainerApp provisioning profile output:**

devs-iMac:Contents dev$ security cms -D -i embedded.provisionprofile 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppIDName</key>
	<string>[Profile AppID Name]</string>
	<key>ApplicationIdentifierPrefix</key>
	<array>
	<string>[TEAM_ID]</string>
	</array>
	<key>CreationDate</key>
	<date>[DATE]</date>
	<key>Platform</key>
	<array>
		<string>OSX</string>
	</array>
	<key>IsXcodeManaged</key>
	<false/>
	<key>DeveloperCertificates</key>
	<array>
		<data>[DATA]</data>
	</array>								
	<key>Entitlements</key>
	<dict>		
		<key>com.apple.developer.system-extension.install</key>
		<true/>
		<key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>packet-tunnel-provider-systemextension</string>
				<string>app-proxy-provider-systemextension</string>
				<string>content-filter-provider-systemextension</string>
				<string>dns-proxy-systemextension</string>
				<string>dns-settings</string>
		</array>		
		<key>com.apple.application-identifier</key>
		<string>[TEAM_ID].[APP_ID]</string>		
		<key>keychain-access-groups</key>
		<array>
				<string>[TEAM_ID].*</string>
		</array>	
		<key>com.apple.developer.team-identifier</key>
		<string>[TEAM_ID]</string>
	</dict>
	<key>ExpirationDate</key>
	<date>[DATE</date>
	<key>Name</key>
	<string>[PROFILE NAME]</string>
	<key>ProvisionsAllDevices</key>
	<true/>
	<key>TeamIdentifier</key>
	<array>
		<string>[TEAM_ID]</string>
	</array>
	<key>TeamName</key>
	<string>[TEAM_NAME]</string>
	<key>TimeToLive</key>
	<integer>6570</integer>
	<key>UUID</key>
	<string>[UUID]</string>
	<key>Version</key>
	<integer>1</integer>
</dict>
</plist>


**System extension codesign output:**
devs-iMac:SystemExtensions dev$ codesign -d --entitlements - my.sysext.bundleid.systemextension

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.application-identifier</key>
	<string>[TEAM_ID].[APP_ID]</string>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>app-proxy-provider-systemextension</string>
	</array>
	<key>com.apple.developer.team-identifier</key>
	<string>[TEAM_ID]</string>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>[TEAM_ID].com.test.appgroup</string>
	</array>
	<key>com.apple.security.get-task-allow</key>
	<false/>
</dict>
</plist>


**System extension provisioning profile output:**
devs-iMac:Contents dev$ security cms -D -i embedded.provisionprofile

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>AppIDName</key>
	<string>[NAME]</string>
	<key>ApplicationIdentifierPrefix</key>
	<array>
	<string>[TEAM_ID]</string>
	</array>
	<key>CreationDate</key>
	<date>[DATE]</date>
	<key>Platform</key>
	<array>
		<string>OSX</string>
	</array>
	<key>IsXcodeManaged</key>
	<false/>
	<key>DeveloperCertificates</key>
	<array>
		<data>[DATA]</data>
	</array>							
	<key>Entitlements</key>
	<dict>		
		<key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>packet-tunnel-provider-systemextension</string>
				<string>app-proxy-provider-systemextension</string>
				<string>content-filter-provider-systemextension</string>
				<string>dns-proxy-systemextension</string>
				<string>dns-settings</string>
		</array>			
		<key>com.apple.application-identifier</key>
		<string>[TEAM_ID].[APP_ID]</string>		
		<key>keychain-access-groups</key>
		<array>
				<string>[TEAM_ID].*</string>
		</array>				
		<key>com.apple.developer.team-identifier</key>
		<string>[TEAM_ID]</string>
	</dict>
	<key>ExpirationDate</key>
	<date>[DATE]</date>
	<key>Name</key>
	<string>[PROFILE_NAME]</string>
	<key>ProvisionsAllDevices</key>
	<true/>
	<key>TeamIdentifier</key>
	<array>
		<string>[TEAM_ID]</string>
	</array>
	<key>TeamName</key>
	<string>[TEAM_NAME]</string>
	<key>TimeToLive</key>
	<integer>6570</integer>
	<key>UUID</key>
	<string>[UUID]</string>
	<key>Version</key>
	<integer>1</integer>
</dict>
</plist>
0
rg1985 OP
Jun ’22

Because of this upgrade issue, we are unable to uninstall the system extension. Deactivation request is failing. The only remaining way to uninstall the system extension is disabling SIP which should not be done in general.

Can you please have a look at the above the signing related information and let us know what to do next.

0
Systems Engineer OP
Apple
Jun ’22

Thank you for sharing this information on how the container app is signed.

What is going on here:

Executable=/Applications/SampleGUI.app/Contents/Applications/SampleSysExtHost.app/Contents/MacOS/SampleSysExtHost

I would expect that the container app bundle structure look like the following:

SampleGUI.app
  Contents/
    MacOS/
      SampleGUI
    _CodeSignature/
    embedded.provisionprofile
    Info.plist
    Library/
      SystemExtensions/
        my.sysext.bundleid.systemextension
    PkgInfo
    Resources/

Having helper apps in other places inside your macOS bundle outside of the designated locations will cause syspolicyd to evaluate the execution of your app / extension as code that is bundled incorrectly. See the link provided the proper location on Helper apps.

0
rg1985 OP
Jul ’22

Thanks Matt for your point.

If this is the case, I am wondering how the system allowed the system extension to be installed and loaded for the first time. What I mean is, why and how this restriction applies only at the time of upgrade?

My container app looks like this:

EncryptionProxyHost.app
  Contents/
    MacOS/
      SampleGUI
    _CodeSignature/
    embedded.provisionprofile
    Info.plist
    Library/
      SystemExtensions/
        my.sysext.bundleid.systemextension
    PkgInfo
    Resources/

Right now, the above container app is bundled inside other app at /Applications/SampleGUI.app/Contents/Applications/, and system allowed installation and loading of system extension without reporting any issue about location, but failed at the time of upgrade.

So if I move the container app to location /Applications/SampleGUI.app/Contents/Helpers/, will it be allowed for upgrade?

Apart from this, does SystemExtensions framework any API to uninstall/deactivate system extension based on the combination of bundle ID and version?

0
rg1985 OP
Jul ’22

There was a typo in above container app details. Please find the container app structure below:

SampleSysExtHost.app
  Contents/
    MacOS/
      SampleSysExtHost
    _CodeSignature/
    embedded.provisionprofile
    Info.plist
    Library/
      SystemExtensions/
        my.sysext.bundleid.systemextension
    PkgInfo
    Resources/
0
Systems Engineer OP
Apple
Jul ’22

So if I move the container app to location /Applications/SampleGUI.app/Contents/Helpers/, will it be allowed for upgrade?

Am I missing something? I do not see the external SampleGUI.app or the Helpers/ directory here at all?

0
rg1985 OP
Jul ’22

Hi Matt,

SampleGUI.app is not a container app for system extension. Here we bundled SampleSysExtHost.app (container app for extension) inside SampleGUI.app as below:

** /Applications/SampleGUI.app/Contents/Applications/SampleSysExtHost.app ** and container app structure is as below:

SampleSysExtHost.app
  Contents/
    MacOS/
      SampleSysExtHost
    _CodeSignature/
    embedded.provisionprofile
    Info.plist
    Library/
      SystemExtensions/
        my.sysext.bundleid.systemextension
    PkgInfo
    Resources/

Based on your input on bundling issue, I did an experiment where container app is not bundled in SampleGUI.app and distributed it along side SampleGUI.app that will be installed as /Applications/SampleSysExtHost.app. With this change, the issue is not resolved. Experiment details given below:

Scenario:

  1. Installed version 4.3.2.10 as /Applications/SampleSysExtHost.app
  2. Upgraded to 4.3.2.11 . System extension upgrrade failed.

Observations:

On BIG SUR 11.6 and 12.4:

  1. sysexxtd log shows:
default	12:11:04.335985+0530	sysextd   /Applications/SampleSysExtHost.app/Contents/Library/SystemExtensions/my.sysext.bundleid.systemextension: package type not `DEXT`

default	12:11:04.335985+0530	sysextd	/Applications/SampleSysExtHost.app/Contents/Library/SystemExtensions/my.sysext.bundleid.systemextension: entitlement `com.apple.developer.endpoint-security.client` not present or not true

default	12:11:04.336046+0530	sysextd	activateDecision found existing entry of same version: state activated_enabled, ID D888D9B7-53B5-4728-9C16-E3294A73BA3F

default	12:11:04.336103+0530	sysextd	initial activation decision: requestAppReplaceAction()

default	12:11:04.336127+0530	sysextd	notifying client of activation conflict

default	12:11:04.337141+0530	sysextd	client approved continuing upgrade for my.sysext.bundleid

default	12:11:04.337215+0530	sysextd	attempting to realize properties with identifier my.sysext.bundleid

default	12:11:04.337300+0530	sysextd	UNIX error exception: 3

default	12:11:04.340020+0530	sysextd	UNIX error exception: 3

default	12:11:04.344399+0530	sysextd	sysextd/daemon_ipc_nsxpc.swift:16: Fatal error: unable to extract client info from connection
  1. Crashed at same place:
 Thread 1 Crashed:: Dispatch queue: sysextd.extension_manager
0  libswiftCore.dylib      	0x00007fff2c899367 _assertionFailure(_:_:file:line:flags:) + 1767
1  sysextd            	0x000000010aab074c 0x10aa7c000 + 214860
2  sysextd            	0x000000010aab338d 0x10aa7c000 + 226189
3  sysextd            	0x000000010aab0fbf 0x10aa7c000 + 217023
4  sysextd            	0x000000010aab101f 0x10aa7c000 + 217119
5  com.apple.Foundation     	0x00007fff213a0c86 __NSXPCCONNECTION_IS_CALLING_OUT_TO_EXPORTED_OBJECT_S1__ + 10
6  com.apple.Foundation     	0x00007fff2134bb88 -[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:] + 2271
7  com.apple.Foundation     	0x00007fff21303039 message_handler + 206
8  libxpc.dylib         	0x00007fff20200c24 _xpc_connection_call_event_handler + 56
9  libxpc.dylib         	0x00007fff201ffa9b _xpc_connection_mach_event + 938
10 libdispatch.dylib       	0x00007fff203108a6 _dispatch_client_callout4 + 9
11 libdispatch.dylib       	0x00007fff20327aa0 _dispatch_mach_msg_invoke + 444
12 libdispatch.dylib       	0x00007fff20316493 _dispatch_lane_serial_drain + 263
13 libdispatch.dylib       	0x00007fff203285e2 _dispatch_mach_invoke + 484
14 libdispatch.dylib       	0x00007fff20316493 _dispatch_lane_serial_drain + 263
15 libdispatch.dylib       	0x00007fff203170ad _dispatch_lane_invoke + 366
16 libdispatch.dylib       	0x00007fff20320c0d _dispatch_workloop_worker_thread + 811
17 libsystem_pthread.dylib    	0x00007fff204b745d _pthread_wqthread + 314
18 libsystem_pthread.dylib    	0x00007fff204b642f start_wqthread + 15

Later, On big sur 11.6, I even observed that the new extension is activated with user approval, leading to 2 system extensions with same bundle ID in state activated enabled.

The problems with this state are:

  1. We can not deactivate older version system extension even with system extension API request. The only way is to disable SIP and deactivate using systemextensionsctl reset.

QUES: When SIP dependency will be removed to deactivate system extension using systemextensionsctl ?

QUES: Are you planning to add ability to systemextensionsctl to deactivate system extension based on bundleId and version? It will be helpful to deactivate stale older version system extensions as explained in my scenario.

So the issue still occurs even when container app distributed as separate app => this clarifies no issue with existing bundling..right?

Now I am wondering what is causing this issue? Can any of the following cause this upgrade issue?

  1. Above log says the entitlement com.apple.developer.endpoint-security.client not present or not true for system extension. Can this cause issue while upgrading?

  2. 'systemextensionsctl list' command output shows the system extension version as 4.3.2.123/4.3.2.123. This versioning can cause issue?

0
jblee07 OP
Jun ’24

Has there been any progress on this issue? I am experiencing the same problem.

0
Network System Extension upgrade issue
First post date Last post date
 
 
Q