Getting a basic URL Filter to work

Wow, a) I’d assumed they’d tell me something if I was approved, and b) I cannot believe I got the configuration right on the first try without being able to test 😅

I’d assumed they’d tell me something if I was approved

Indeed. We’re still working out the kinks in this process.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It's mid February and I am trying to upload an app (just to TestFlight) with a url-content-filter. I am getting the same error:

Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value 'url-filter-provider' for key 'com.apple.developer.networking.networkextension'

Is this just still not available? How do we proceed with using this entitlement?

@DTS Engineer It's mid February and I am trying to upload an app (just to TestFlight) with a url-content-filter. I am getting the same error: Your application bundle's signature contains code signing entitlements that are not supported on iOS. Specifically, value 'url-filter-provider' for key 'com.apple.developer.networking.networkextension' Is this just still not available? How do we proceed with using this entitlement?

I figured this out I think:

  26 -    <string>com.apple.networkextension.url-filter            
     --control</string>                                        
  26 +    <string>com.apple.networkextension.url-filter            
     +</string>     

The correct value to put in the entitlement is url-filter-provider. Annoyingly, this hasn’t yet made it to the documentation (r. 164079609) but Xcode’s Signing & Capabilities editor does the right thing.

Regarding KayleeSC’s bug about app submission (FB19582905) I continue to monitor that internally, but I’ve nothing concrete about its status other than that it remains un-fixed )-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@KayleeSC How did you get the bloomFilter hash correct? I followed your process from earlier in this thread. I used the MurmurHash3 swift library, but the standard FNV-1a implementation instead of the inverted order of operations you suggested. (An apple dev told me to do it this way)

The hash this produces still isn't blocking sites for me.

Is this the hash you got for the 10 example websites in the starter code? UzDsxTWvY7Y/grhkQS1KZe8SslPAGOFK

@DTS Engineer I think that was the EXExtensionPointIdentifier in the info.plist of the URL FIlter, not entitlements.

@beacham haven’t had a chance to try this, but wouldn’t changing the extension point identifier prevent the extension from being recognized at all? Like, can you upload the app to TestFlight and have the extension function?

@KayleeSC , Please take another run at submitting your app. I just checked on FB19582905 and there’s signs of movement there [1].

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Our bugs system should officially notify you of this soon, but I figured you’d appreciate a heads up as soon as possible.

Ok, I was able to upload a build containing the extension! I will release it to TestFlight soon, even tho the actual filtering doesn’t work atm, due to the server part.

I’m using @ameshkov’s tester (thank you!!) and everything seems to be ok with my server stuff; however when I actually try to turn the feature on I always get this:

<NEPIRChecker: 0xd65178d00>: -[NEPIRChecker start:responseQueue:completionHandler:]_block_invoke - PIR status returned error <Error Domain=com.apple.CipherML Code=1100 "Unable to query status due to errors: failed to fetch token key" UserInfo={NSLocalizedDescription=Unable to query status due to errors: failed to fetch token key, NSUnderlyingError=0xd64d70810 {Error Domain=CipherML.AuthenticationError Code=7 "failed to fetch token key" UserInfo={NSLocalizedDescription=failed to fetch token key}}}>

Does this mean the server stuff was not certified?

I think I finally did it! I eventually gave up and switched to a different gateway: https://github.com/gruberb/ohttp-gateway

Once configured properly, everything started flowing, even from TestFlight (which I hope means that it will be the same from the App Store).

Feels kinda unreal that this is actually happening, I had lost hope. Thanks to everyone who helped out!

@DTS Engineer I am still getting this when pushing to Testflight:

Invalid Info.plist value. The value of the NSExtensionPointIdentifier key, com.apple.url-filter-provider, in the Info.plist of “PledgeLock.app/PlugIns/URLFilterExtension.appex” is invalid. Please refer to the App Extension Programming Guide at https://developer.apple.com/library/content/documentation/General/Conceptual/ExtensibilityPG/Action.html#/apple_ref/doc/uid/TP40014214-CH13-SW1. (ID: cf6bb55a-0673-41b4-8aaa-d64c2f36ce9c) error: exportArchive Validation failed. Invalid Info.plist value. The value of the NSExtensionPointIdentifier key, com.apple.url-filter-provider, in the Info.plist of “PledgeLock.app/PlugIns/URLFilterExtension.appex” is invalid. Please refer to the App Extension Programming Guide at https://developer.apple.com/library/content/documentation/General/Conceptual/ExtensibilityPG/Action.html#/apple_ref/doc/uid/TP40014214-CH13-SW1. (ID: cf6bb55a-0673-41b4-8aaa-d64c2f36ce9c).

Feels kinda unreal that this is actually happening

Yay!

I am still getting this when pushing to Testflight:

NSExtensionPointIdentifier is associated with old-style Foundation extensions, whereas URL filters are based on new-style ExtensionKit extensions. I downloaded and built the latest version of the Filtering traffic by URL sample. Consider this:

% grep NSExtensionPointIdentifier -r SimpleURLFilter.app
% 

and this:

% plutil -p SimpleURLFilter.app/Extensions/SimpleURLFilterExtension.appex/Info.plist 
{
  …
  "EXAppExtensionAttributes" => {
    "EXExtensionPointIdentifier" => "com.apple.networkextension.url-filter-control"
  }
  …
}

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Of course the new beta would break the whole thing immediately 😅

Now all I get is

<NEPIRChecker: 0x6a7057180>: -[NEPIRChecker start:responseQueue:completionHandler:] - failed to register with PIR for Group site.kaylees.Wipr2 usecase site.kaylees.Wipr2.url.filtering

even with no errors on the server side.

My kingdom for a flag to ignore the PIR server completely and just “fail closed” on the bloom filter. Why do we even need to register with the server in order to enable a “fail closed” filter? I see that pirSkipRegistration flag in the logs, can we have it please? 😬

Or like a normal API with a JSON file like Content Blockers and regex and bundle ID filtering, but I guess that’s asking too much 😬

Of course the new beta would break the whole thing immediately

So lemme see if I understand this problem:

• Your app on TestFlight works on iOS 26.3.
• But fails with that error an iOS 26.4b3.

Is that right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"