App Extension Network Extension - failed to start, signature check failed

App & System Services Networking
deteam444 OP
Created 1d
Replies 3
Boosts 0
Views 46
Participants 2

Howdy,

I've been developing a packet tunnel extension meant to run on iOS and MacOS. For development I'm using xcodegen + xcodebuild to assemble a bunch of swift and rust code together.

I'm moving from direct TUN device management on Mac to shipping a Network Extension (appex). With that move I noticed that on some mac laptops NE fails to start completely, whilst on others everything works fine.

I'm using CODE_SIGN_STYLE: Automatic, Apple IDs are within the same team, all devices are registered as dev devices. Signing dev certificates, managed by xcode.

Some suspicious logs:

(NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s)
...
(NetworkExtension) [com.apple.networkextension:] Provider is not signed with a Developer ID certificate

What could be the issue? Where those inconsistencies across devices might come from?

Replies  3
Boosts  0
Views  46
Participants  2
deteam444 OP
1d

App is not sandboxed, NE is sandboxed. Network extension entitlements (packet-tunnel) are specified for both targets.

0
DTS Engineer OP
Apple
8h

The first thing to rule out is the device not actually being included in the profile. Do this:

  1. Dump the profile of the app:

    % security cms -D -i MyApp.app/Contents/embedded.provisionprofile

  2. Dump the profile of the provider:

    % security cms -D -i MyApp.app/Contents/PlugIns/MyAppEx.appex/Contents/embedded.provisionprofile

  3. Check that the ProvisionedDevices lists match.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
deteam444 OP
5h

Failing device is mentioned in provisioning profiles for both app and appex (matching Provisioning UDID).

This log also appears on another device where everything's fine, not sure if it's relevant or what to make of it:

(NetworkExtension) [com.apple.networkextension:] Provider is not signed with a Developer ID certificate

For now assuming it's just noise and the true issue is in signature/smth else validation.

Noticed an interesting thing: if I try to run .app built and signed on the failing device after allowing it via security settings ("Open Anyway") and removing quarantine, then NE gets registered and also started successfully.

I also compared entitlements, signatures and provisioning profiles for both app and appex. They all seem to match for .app bundles done on both devices.

0
App Extension Network Extension - failed to start, signature check failed
First post date Last post date
 
 
Q