I want to build a macOS app that filters specific network requests so I need to add the NetworkExtensions capability. But after I add a NetworkExtensions capability, I get the following message:
Your development team, "Potato Dev2", does not support the Network Extensions capability.
Image of where the above message is from: https://i.stack.imgur.com/H46gE.png
From Apple's documentation on "Adding Capabilities to Your App":
The platform, and whether you're a member of the Apple Developer Program, may limit the capabilities available to your app
The documentation doesn't explicitly say which capabilities require being a part of the Apple Developer Program. I also don't see why I'd need to be a part of the Apple Developer Program to write software on and for my own computer. Note that, at least to my knowledge, the NetworkExtensions capability does not depend on any service from Apple (as opposed to HealthKit or Game Center).
So is there a way to add a Network Extensions capability to a macOS app without joining the Apple Developer Program?
You should be able to do it if you disable system integrity protection (SIP) on your Mac (csrutil disable in the Terminal in the macOS Recovery Environment), and disable amfid's entitlements check by adding amfi_get_out_of_my_way=1 to the kernel's command line arguments. (Again in the recovery environment, nvram boot-args='amfi_get_out_of_my_way=1')
You will need to bypass Xcode when code signing and use the codesign command directly because Xcode performs the provisioning profile entitlements check, as you noticed. codesign itself does not perform this check.
This works for basically allowing just about anything to do with DriverKit system extensions, so I'd expect it to work with Network System Extensions as well.
I figured out the answer to my question: to write macOS software that uses the NetworkExtension APIs, you must be a member of the Apple Developer Program ($100/year). See https://developer.apple.com/support/app-capabilities/ for details.
Related
How to run un-signed System Extensions in OSX catalina?
I'm trying to load SimpleFirewall which is a system extension given by apple, ment to demonstrate packet filtering capabilities.
The project compiles, but I get this error during run:
OSSystemExtensionErrorDomain error 8
Looked it up, it means -
Invalid code signature or missing entitlements
I have SIP disabled, and turned off code signing in the xcode project.. what else can I do to have this run? I dont have a developer ID.. just testing the code..
As per Eskimo answer on Apple Developer Forums you might additionally to
disabling SIP and
enabling SYSX developer mode (systemextensionsctl developer on)
need to disable AMFI:
nvram boot-args="amfi_get_out_of_my_way=0x1”
This has to be done in the cmd from the Recovery Mode.
AFAIK you only need to do it, if you don't have a developer provisioning profile with com.apple.developer.endpoint-security.client entitlement.
Apple's Documentation on 'Debugging and Testing System Extensions' has some information on this subject.
In theory, disabling SIP should take care of the signing requirements. You may still need to sign the extension with a free Mac Developer certificate so that the entitlements can be embedded.
Are you trying to use the extension from outside an app? If so, the command
systemextensionsctl developer on
Should help.
I have a same issue with #tuti.
I am testing a hello world System Extension base on Driver Kit. I am using free developer account, Mac mini Catatila, Xcode 11 to development.
In my Xcode, I setting to don't sign my code for both application and system extension. I am also disable SIP and run command "systemextensionsctl developer on".
But when I load my system extension from Swift application, it still show me the log "The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 8.)". When I look up the error 8, it means invalid signature. But in my computer, I can load an unsigned Kernel extension normally.
So, I don't know why? I think the OS still check code signing for system extension regardless I disable SIP.
Is there a method that would allow the creation of custom apple .pkg files that could be generated on the fly that is compatible with the new signing/notarization processes? Is there a recommended apple method?
Currently, I am able to change the post/preinstall scripts and repackage my pkg file with xar on linux.
With the new notarization process, I run into a couple of problems.
It takes quite a while to notarize a package.
I cannot run the notarization tools from linux and apple does not allow virtualized osx instances.
I haven't see a non-macOS tool for notarization submission. Though, there's not much for codesigning either. (Do you have a cross platform codesign tool?)
But... Do you need to notarize? Or sign at all? As I understand it, at least for now, those requirements only apple for files with the gatekeeper quarantine attribute set. (And probably kernel extensions)
If you're re-creating pkgs, are you doing it on the endpoints where you could remove the quarantine bit?
Also not quite the same, but if you wanted to pay money there is fairly inexpensive hosted apple machines. (I use some of those for my codesigning pipeline, for just this reason)
I'm having some serious trouble signing an application for ad-hoc distribution. Is it possible to distribute an app with the following requirements?:
Does not require tester to provide UUID up front
Outside app store
Utilizes entitlements such as VPN or Keychain Sharing
I ask because exporting without signing (Organizer (select archive) > Export > Export as Mac Application) fails with "embedded provisioning profile not valid: ..." on some devices. It appears to work on others though.
Thank you!
If you're trying to use the NetworkExtension framework (which I'm assuming because you tagged your question with nevpnmanager,) unfortunately that's only available in App Store apps.
I know this because I asked Apple. I was trying to make a non App Store NEVPN app, but no dice. Quinn from Developer Tech Support told me the NEVPN stuff is only available for App Store apps, and that I should file a bug report (which I think I did.)
I have a Cocoa Mac App that I don't know if it will on the Mac AppStore.
The application is still in development, and I want few persons to be able to launch it on their devices while the app gets new features.
The situation is the following :
I have a Mac Developer Certificate
Devices are registered in the Mac Member Center.
Every time they launch the app, GateKeeper complain the app doesn't come from the Mac AppStore, nor is provided by a identified developer, no matter if I sign the app or not.
So I tried to sign it and a provisioning profile is embedded into the app. If I don't sign it nothing embedded.
I should mention that the app has a Spotlight importer and QuickLook generator bundled into it.
I didn't find any clear explanation on how to resolve this issue in the Apple documentation, and most (if not all) blog posts, or articles on the Internet are about iPhone apps, not Mac ones (the process/requirements seems to be different on the two platforms).
The documentation is unclear on if all testers should be team members (which seems crazy because some of them aren't developers and don't have Xcode installed).
Can someone provide a clear step-by-step explanation on how to do that ?
Or maybe a article/blog post link or tips ?
Edit :
Here are screenshots of the app bundle structure and plug-in structure :
Everything seems to be right.
The way I obtained that is : I didn't set "Code Signing Identity" build setting, but rather archived the app, and exported it specifying code signing identity at that time.
Edit :
More and more curious, when I run codesign command in the terminal, codesign -vvv MyApp.app, the output tends to suggests that all is rightly done :
MyApp.app: valid on disk
MyApp.app: satisfies its Designated Requirement
Interpreting this question as essentially:
"how do I beta test Mac App Store apps" ?
Apple hasn't yet published an official workflow in the App Distribution Guide, but the following process works:
Tester sends "System Information utility > Hardware tab > Hardware UUID" to developer
Developer updates dev provisioning profile to include the hardware UUID
Developer uses Xcode Organizer Archives tab, Distribute > "Save as Mac Application", then select the updated development signing identity.
Developer sends newly built app to the tester
Note: The development identities have yellow caution ! icons during the re-signing process but they can still be used.
Not only does this avoid the GateKeeper prompt, but the development provisioning profile is also needed for any store technologies you might be using to work during testing, e.g. iCloud, GameCenter, etc.
In Xcode 4, there is a Myproject.entitlements file.
What's it for?
In general, what are the "entitlements"? What are they for?
It's related to iCloud and push notifications (on iOS and Mac OS X) and the App Sandbox feature (in OS X only).
There is more information in Entitlement Key Reference. App Sandbox is documented in App Sandbox Design Guide:
An app that is not sandboxed has access to all user-accessible system
resources—including the built-in camera and microphone, network
sockets, printing, and most of the file system. If successfully
attacked by malicious code, such an app becomes a hostile agent with
wide-ranging potential to inflict harm.
When you enable App Sandbox for your app, you remove all but a minimal
set of privileges and then deliberately restore them, one-by-one,
using entitlements. An entitlement is a key-value pair that identifies
a specific capability, such as the capability to open an outbound
network socket.