How to correctly use the developer ID to implement program distribution

Currently, I have implemented a project that includes network extension and system extension entitlements. When I create the profile using the development method, I get exactly the right entitlement matching. For example:

  1. create app id (identifier)
  2. create a profile, associate with the corresponding app id, generate the profile and download it locally.
  3. In xcode, fill in the corresponding app id in Bundle Identifier, such as com.***.test.app, and fill in the corresponding development profile in Provisioning Profile.

At this point I was able to achieve a complete and correct program compiling and running. Now, I want to distribute this app by developer id. According to https://developer.apple.com/developer-id/ , I have several questions remain:

  1. I followed this method https://developer.apple.com/help/account/create-certificates/create-developer-id-certificates/ to create a distribution certificate and created two new profiles (distribute- developer id), which is associated with the existing bundle ID (com.***.test.app, com.***.test.extension). But when I import the corresponding provisioning profile in xcode, it shows error:
Provisioning profile "***" doesn’t match the entitlement file’s value for the com.apple.developer.networking.networkextension entitlement. 

But isn't the corresponding entitlement information already selected when the app id is set? Why is the profile of the development type feasible, but the profile of the developer id is not feasible?

  1. I have made relevant settings according to this method https://developer.apple.com/documentation/xcode/preparing-your-app-for-distribution/, and I don’t seem to need the hardened runtime and sandbox related content, so I don't have any settings. Maybe apple events in hardened runtime is necessary?

  2. Submitting software to apple notarization seems to be a more trustworthy behavior for users, but at this stage I just want to simply implement distribution for program testing, so I chose export in archives-distribute app-developer id, and in the follow-up The same error as in question 1 appeared in the profile selection of the profile:

Profile doesn't match the entitlements file's value for the com.apple.developer.networking.networkextension entitlement.

So, overall: One is how to create the correct developer id profile? My two entitlements files are as follows:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider</string>
	</array>
	<key>com.apple.developer.system-extension.install</key>
	<true/>
	<key>com.apple.security.app-sandbox</key>
	<false/>
	<key>com.apple.security.files.user-selected.read-only</key>
	<true/>
</dict>
</plist>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>com.apple.developer.networking.networkextension</key>
	<array>
		<string>content-filter-provider</string>
	</array>
	<key>com.apple.security.app-sandbox</key>
	<false/>
	<key>com.apple.security.application-groups</key>
	<array>
		<string>$(TeamIdentifierPrefix)com.example.app-group</string>
	</array>
</dict>
</plist>

Second, is Apple notarization necessary?

Answered by DTS Engineer in 763035022

Let’s answer the easy one first:

Second, is Apple notarization necessary?

Yes. Notarisation Resources has link to a bunch of resources that explain this in detail.


With regards your main issue, you’ve bumped into a gotcha related to NE distribution. NE providers can be packaged in one of two ways:

  • App extension

  • System extension

Note For more on this, see TN3134 Network Extension provider deployment.

Appex packaging is only supported on the Mac App Store. Sysex packaging supports both Mac App Store and independent distribution, the latter using Developer ID signing. However, the entitlements you use are different when using Developer ID signing. For example, for a content filter you’d use content-filter-provider for App Store distribution and content-filter-provider-systemextension for independent distribution with Developer ID.

Xcode is not aware of this subtlety, so you won’t be able to use Xcode to export a Developer ID signed NE sysex from your archive (FB12163991). I recommend that you continue to use the Build > Archive workflow and then write a script that copies the app from the archive, copies a Developer ID profile into both the sysex and the app, and then re-signs the sysex and its container app using entitlements with the -systemextension suffix.

Creating Distribution-Signed Code for Mac has general advice on how to achieve each of these tasks.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

Let’s answer the easy one first:

Second, is Apple notarization necessary?

Yes. Notarisation Resources has link to a bunch of resources that explain this in detail.


With regards your main issue, you’ve bumped into a gotcha related to NE distribution. NE providers can be packaged in one of two ways:

  • App extension

  • System extension

Note For more on this, see TN3134 Network Extension provider deployment.

Appex packaging is only supported on the Mac App Store. Sysex packaging supports both Mac App Store and independent distribution, the latter using Developer ID signing. However, the entitlements you use are different when using Developer ID signing. For example, for a content filter you’d use content-filter-provider for App Store distribution and content-filter-provider-systemextension for independent distribution with Developer ID.

Xcode is not aware of this subtlety, so you won’t be able to use Xcode to export a Developer ID signed NE sysex from your archive (FB12163991). I recommend that you continue to use the Build > Archive workflow and then write a script that copies the app from the archive, copies a Developer ID profile into both the sysex and the app, and then re-signs the sysex and its container app using entitlements with the -systemextension suffix.

Creating Distribution-Signed Code for Mac has general advice on how to achieve each of these tasks.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks!! But I also want to ask a question that has nothing to do with distribution, because when I test in local xcode and manually configure the profile of the developer id, an error is also displayed:

Provisioning profile "xxxx" doesn't match the entitlements file's value for the com. apple.developer.networking.networkextension entitlement. 

But what I can be sure of is that when I build the identifier, I choose the necessary system extension and network extension, and realize the correct association when the profile is created. I guess this has nothing to do with distribution? But how to solve it?

After I change the com. apple.developer.networking.networkextension in Xcode from Content Filter to content-filter-provider-systemextension, I have successfully build the archive to distribute. But when I run it on the other development, it has the sys log :

sysextd attempt to realize extension xxxx. 

My app bundle id is com.company.name.app and the extension bundle id is com.company.name.Extension.

Container.app
  Contents/
    Library/
      SystemExtensions/
        com.company.name.Extension.systemextension

Maybe this is still a permissions issue? How can I solve it? Are there any suggestions?

when I test in local xcode and manually configure the profile of the developer id

My advice here is not not use Developer ID for local testing. This is just one of many reasons for that advice. For more background, see The Care and Feeding of Developer ID.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

How to correctly use the developer ID to implement program distribution
 
 
Q