How to run un-signed System Extensions in OSX catalina?
I'm trying to load SimpleFirewall which is a system extension given by apple, ment to demonstrate packet filtering capabilities.
The project compiles, but I get this error during run:
OSSystemExtensionErrorDomain error 8
Looked it up, it means -
Invalid code signature or missing entitlements
I have SIP disabled, and turned off code signing in the xcode project.. what else can I do to have this run? I dont have a developer ID.. just testing the code..
As per Eskimo answer on Apple Developer Forums you might additionally to
disabling SIP and
enabling SYSX developer mode (systemextensionsctl developer on)
need to disable AMFI:
nvram boot-args="amfi_get_out_of_my_way=0x1”
This has to be done in the cmd from the Recovery Mode.
AFAIK you only need to do it, if you don't have a developer provisioning profile with com.apple.developer.endpoint-security.client entitlement.
Apple's Documentation on 'Debugging and Testing System Extensions' has some information on this subject.
In theory, disabling SIP should take care of the signing requirements. You may still need to sign the extension with a free Mac Developer certificate so that the entitlements can be embedded.
Are you trying to use the extension from outside an app? If so, the command
systemextensionsctl developer on
Should help.
I have a same issue with #tuti.
I am testing a hello world System Extension base on Driver Kit. I am using free developer account, Mac mini Catatila, Xcode 11 to development.
In my Xcode, I setting to don't sign my code for both application and system extension. I am also disable SIP and run command "systemextensionsctl developer on".
But when I load my system extension from Swift application, it still show me the log "The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 8.)". When I look up the error 8, it means invalid signature. But in my computer, I can load an unsigned Kernel extension normally.
So, I don't know why? I think the OS still check code signing for system extension regardless I disable SIP.
Related
I am new to macOS development and am having a terrible time trying to get my code signed. The documentation to me seems to be horrible.
My specific situation...
I am building a cross-platform app that runs on Linux, Windows, macOS and eventually iOS and Android.
It is a console app that runs as a service or LaunchDaemon
It has a UI served by WebView, http, or console commands depending on the scenario.
It is built with Go 17 in VScode.
I am not using xCode other than the command line tools.
My goal on macOS it to distribute it as a package (pkg) and not as an app.
I have been using MunkiPkg to build it
I am hung up on understanding how the various certificates need to be set up. I have not been able to get a successfully signed package notarized.
Can someone please point me to some documentation that explains how my scenario works? Most of what I found requires it to be built in xCode. And the Apple docs seem mostly to focus on how great their tools are without actually explaining how to use them.
Help!
I want to build a macOS app that filters specific network requests so I need to add the NetworkExtensions capability. But after I add a NetworkExtensions capability, I get the following message:
Your development team, "Potato Dev2", does not support the Network Extensions capability.
Image of where the above message is from: https://i.stack.imgur.com/H46gE.png
From Apple's documentation on "Adding Capabilities to Your App":
The platform, and whether you're a member of the Apple Developer Program, may limit the capabilities available to your app
The documentation doesn't explicitly say which capabilities require being a part of the Apple Developer Program. I also don't see why I'd need to be a part of the Apple Developer Program to write software on and for my own computer. Note that, at least to my knowledge, the NetworkExtensions capability does not depend on any service from Apple (as opposed to HealthKit or Game Center).
So is there a way to add a Network Extensions capability to a macOS app without joining the Apple Developer Program?
You should be able to do it if you disable system integrity protection (SIP) on your Mac (csrutil disable in the Terminal in the macOS Recovery Environment), and disable amfid's entitlements check by adding amfi_get_out_of_my_way=1 to the kernel's command line arguments. (Again in the recovery environment, nvram boot-args='amfi_get_out_of_my_way=1')
You will need to bypass Xcode when code signing and use the codesign command directly because Xcode performs the provisioning profile entitlements check, as you noticed. codesign itself does not perform this check.
This works for basically allowing just about anything to do with DriverKit system extensions, so I'd expect it to work with Network System Extensions as well.
I figured out the answer to my question: to write macOS software that uses the NetworkExtension APIs, you must be a member of the Apple Developer Program ($100/year). See https://developer.apple.com/support/app-capabilities/ for details.
I have a Cocoa Mac App that I don't know if it will on the Mac AppStore.
The application is still in development, and I want few persons to be able to launch it on their devices while the app gets new features.
The situation is the following :
I have a Mac Developer Certificate
Devices are registered in the Mac Member Center.
Every time they launch the app, GateKeeper complain the app doesn't come from the Mac AppStore, nor is provided by a identified developer, no matter if I sign the app or not.
So I tried to sign it and a provisioning profile is embedded into the app. If I don't sign it nothing embedded.
I should mention that the app has a Spotlight importer and QuickLook generator bundled into it.
I didn't find any clear explanation on how to resolve this issue in the Apple documentation, and most (if not all) blog posts, or articles on the Internet are about iPhone apps, not Mac ones (the process/requirements seems to be different on the two platforms).
The documentation is unclear on if all testers should be team members (which seems crazy because some of them aren't developers and don't have Xcode installed).
Can someone provide a clear step-by-step explanation on how to do that ?
Or maybe a article/blog post link or tips ?
Edit :
Here are screenshots of the app bundle structure and plug-in structure :
Everything seems to be right.
The way I obtained that is : I didn't set "Code Signing Identity" build setting, but rather archived the app, and exported it specifying code signing identity at that time.
Edit :
More and more curious, when I run codesign command in the terminal, codesign -vvv MyApp.app, the output tends to suggests that all is rightly done :
MyApp.app: valid on disk
MyApp.app: satisfies its Designated Requirement
Interpreting this question as essentially:
"how do I beta test Mac App Store apps" ?
Apple hasn't yet published an official workflow in the App Distribution Guide, but the following process works:
Tester sends "System Information utility > Hardware tab > Hardware UUID" to developer
Developer updates dev provisioning profile to include the hardware UUID
Developer uses Xcode Organizer Archives tab, Distribute > "Save as Mac Application", then select the updated development signing identity.
Developer sends newly built app to the tester
Note: The development identities have yellow caution ! icons during the re-signing process but they can still be used.
Not only does this avoid the GateKeeper prompt, but the development provisioning profile is also needed for any store technologies you might be using to work during testing, e.g. iCloud, GameCenter, etc.
I don't have the Apple 79€/year account. In iOS 5.0 and Xcode 4.2.1 I changed SDKSettings.plist ecc... And it works. In iOS 5.1.1 and Xcode 4.3.2 no, I already changed settings ecc but don't work, the app installs on device but crash on launch... How can I run my app on device without crashes? Thanks, and sorry for my english.
I have had this issue before on a jailbroken device. You have a few solutions depending on the exact issue. First you can install app sync in order to allow unsigned code to work on your device if you are not using a valid code signing identity. The second option is to actually get a valid code signing identity along with the provision profile so you can run the application correctly. This involves paying for the developer program so this may not be the best option.
Last is a very common issue with jailbroken devices. Which is that you will receive an error such as "failed to get the task for process xxxxx". This tends to happen a lot with jailbroken devices. This is because Xcode notices you are not using a provision profile that is required to report error logs. All you have to do is launch the application again on the device and everything should work.
This is just Xcode not being able to fully launch your application because of the missing provision profile so it results in a crash. If none of these solutions solve your problem please post a more detailed explanation of the issue you are having.
I am going to submit my application for Mac App Store, and I am confused about enabling entitlements.
In Apple developer guide for configuring your app for mac App store, it does not say if it is required, or its just better to do it.
I am not using iCloud or push notifications (and are not enabled in my App ID).
I am not going to enable Sandboxing before 1st of March.
I sign my executable with the appropriate Apple Application Certificate and my installer with Installer certificate.
I am following the File-System Usage Requirements for the Mac App Store guide lines.
Last time my binary was accepted, but application was rejected in review due to some other violation.
My question is, will my app get rejected if I do not check the Enable Entitlements checkbox in Xcode. If I enable it, the second option is if I want to enable Sandbox which I do not, so it seems irrelevant.
I found this answer which says its not required but its for iOS.
Can someone confirm?
Thanks in Advance.
No it is not needed. My App was approved without Enabling entitlements. But, it will be needed once I start using Push notifications, Sandboxing, or iClouds.