SystemExtension and NetworkExtension not working signed with DeveloperID cert

while the other network extensions are just blocked with taskgated daemon.

How do you know that it’s doing the blocking? If there an associated log message.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for quick reply Quinn!

From my logs as attached, it has some issues with entitlements, which can be seen in the profile (and they are approved as well)

Here is the profile that I have

The xcodeconfig is as below

Try this:

1. Build your app.

2. Dump the entitlements of the sysex embedded in your app.

3. Dump the entitlement allowlist of the profile embedded within the sysex embedded in your app.

What do you see?

For info on how to do steps 2 and 3, see TN3125 Inside Code Signing: Provisioning Profiles.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you again for your reply, please find the attached dumps of entitlement and the systemextension. I have replaced the name of application and extension name with same values and also masked the teamID.

Those looks like entitlements dumps of the executable, taken with codesign. Is that right?

If so, you also need to look at the dump of the entitlement allowlist in the provisioning profile, taken with security cms.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hello Quinn,

Apologies for getting back late, yes I have followed the document at https://developer.apple.com/documentation/technotes/tn3125-inside-code-signing-provisioning-profiles to provide the above entitlement files. I have modified them to hide the real application and package name.

The command that I used for same was - security cms -D -i VJDevIDFA.provisionprofile -o VJDevIDFA-payload.plist

After that executed plutil -extract DeveloperCertificates xml1 -o - VJDevIDFA-payload.plist

The command plutil -extract Entitlements.application-identifier raw -o - VJDevIDFA-payload.plist which provided with error as following - VJDevIDFA-payload.plist: Could not extract value, error: No value at that key path or invalid key path: Entitlements.application-identifier followed to which I used below command -

plutil -extract com.apple.application-identifier raw -o - VJDevIDFA-payload.plist gave following error for me - VJDevIDFA-payload.plist: Could not extract value, error: No value at that key path or invalid key path: com.apple.application-identifier

However the command - security cms -D -i Profile_Explainer_iOS_Dev.der -o Profile_Explainer_iOS_Dev-payload.der generated the file for me on which I used following command to get output as attached

openssl asn1parse -in Profile_Explainer_iOS_Dev-payload.der -inform der -i |cut -c 30-  >> output.txt

PS: I have changed the identifiers in the above file as well.

Let me know if this is what was expected from the above ask.

Thank you again for the help.

Thank you, Vijay

Two things:

• You posted the entitlement allowlist for the app’s profile, but my understanding is that the app launches just fine. You need to check the allowlist for the sysex.

• To avoid confusion I recommend that the dump the entitlements and the profiles of the built binary, not the ones that are the input to the build process.

So, build your app and then dump:

1. The entitlements of the app.

2. The entitlement allowlist in the profile embedded within the app, at Contents/embedded.provisionprofile.

3. The entitlements of the sysex embedded within the app.

4. The entitlement allowlist in the profile embedded within the sysex, at Contents/embedded.provisionprofile.

Keep in mind that every restricted entitlement claimed by the app must be allowed by its profile. Likewise, every restricted entitlement claimed by the sysex must be allowed by its profile.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Greetings Quinn,

Sorry I could not get the ask for the first time, I re-read it again and here is the dump of the embedded provisioning profile after the application is built and signed with the Developer ID certificate.

This is snippet for the system extension inside the application Library/SystemExtensions/package-name/Contents

    <dict>
				
				<key>com.apple.developer.system-extension.install</key>
		<true/>
				
				<key>com.apple.developer.networking.networkextension</key>
		<array>
				<string>packet-tunnel-provider-systemextension</string>
				<string>app-proxy-provider-systemextension</string>
				<string>content-filter-provider-systemextension</string>
				<string>dns-proxy-systemextension</string>
				<string>dns-settings</string>
		</array>
				
				<key>com.apple.application-identifier</key>
		<string>TEAMID.com.myapplication.someapp.myextension</string>
				
				<key>keychain-access-groups</key>
		<array>
				<string>TEAMID.*</string>
		</array>
				
				<key>com.apple.developer.team-identifier</key>
		<string>TEAMID</string>

	</dict>

As it can be seen it does not have com.apple.developer.endpoint-security.client entitlement onto it, however in the Xcode when the code is built I had explicitly mentioned the same as well. Is there any reason that its being removed when built?

Attached is the screenshot of the profile used for signing the application

Thank you, Vijay

Attached is the screenshot of the profile used for signing the application

The application? What about the profile used for the sysex?

Keep in mind that the app and the sysex have different App IDs and, because they use restricted entitlements, they can’t use a wild card profile. That means that they each need their own profile, each with its own unique entitlement allowlist.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes Quinn, the profile which I pasted above is for the sysex (I named it to have ext extension to distinguish this) The main application has a different profile altogether.

What concerns me over here is that when the application/sysext are signed with the above certs the entitlement com.apple.developer.endpoint-security.client  is removed completely from the resulting application.

I have the DeveloperID profile enabled for the system extension as well for same from apple. Am I missing something here?

Thank you, Vijay

In addition to above information, we have 4 different provisioning profiles, 2 with DeveloperID application certificate (one for the application and other for extensions) and other 2 (one for application and other for extension) with Mac Development certificate.

With these, when we sign with Mac Development certificate the entitlement stays and we can see the application working fine.

While we chose the DeveloperID application certificate, the entitlement for endpoint security vanishes (not sure how), while we can see other entitlements, on the build and the application stops working.

We have requested for Endpoint security and got it approved from Apple twice.

At this point I’m going to have to admit defeat here; I just don’t have the time, in the context of DevForums, to help you sort this out )-: I recommend that you open a DTS tech support incident, which will allow me to allocate more time to dig until the details.

When you open the incident, please reference this DevForums thread for context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Greetings,

Thank you Quinn, I have raised the DTS with Case ID: 809522391

Looking forward for the solution.

Thank you, Vijay