3

How to run un-signed System Extensions in OSX catalina?

I'm trying to load SimpleFirewall which is a system extension given by apple, ment to demonstrate packet filtering capabilities.

The project compiles, but I get this error during run:

OSSystemExtensionErrorDomain error 8

Looked it up, it means -

Invalid code signature or missing entitlements

I have SIP disabled, and turned off code signing in the xcode project.. what else can I do to have this run? I dont have a developer ID.. just testing the code..

toti
  • 325
  • 4
  • 12
  • Have you seen [this developer forums post](https://forums.developer.apple.com/thread/122059) on the subject? – pmdj Mar 14 '20 at 10:09
  • I have but is buying a developer ID really the only way out of this? – toti Mar 14 '20 at 18:23

3 Answers3

2

As per Eskimo answer on Apple Developer Forums you might additionally to

  • disabling SIP and
  • enabling SYSX developer mode (systemextensionsctl developer on)

need to disable AMFI:

nvram boot-args="amfi_get_out_of_my_way=0x1”

This has to be done in the cmd from the Recovery Mode.

AFAIK you only need to do it, if you don't have a developer provisioning profile with com.apple.developer.endpoint-security.client entitlement.

Krzysztow
  • 781
  • 9
  • 11
1

Apple's Documentation on 'Debugging and Testing System Extensions' has some information on this subject.

In theory, disabling SIP should take care of the signing requirements. You may still need to sign the extension with a free Mac Developer certificate so that the entitlements can be embedded.

Are you trying to use the extension from outside an app? If so, the command

systemextensionsctl developer on

Should help.

pmdj
  • 22,018
  • 3
  • 52
  • 103
  • Thanks, already had that on,how do I set up a FREE dev certificate though? – toti Apr 06 '20 at 16:59
  • @toti You should get a "Mac Developer" certificate if you just log into the developer area with your Apple ID and then add it to the "accounts" section in Xcode's preferences, as far as I'm aware. I'm not *sure* this certificate will let you develop system extensions, but it's worth a try as the documentation suggests this might be possible. – pmdj Apr 06 '20 at 18:32
  • 1
    @toti I've just got this working with a DriverKit based system extension - at least in that case, the problem was that Xcode was complaining about the entitlements of the extension not matching the signing certificate. Moving the code signing step of the extension's target to a custom script running build phase solved it for me. Signing the main app works fine after creating an App ID on Apples developer account portal and ticking the "System Extension" box, then generating a development profile and using that for codesigning in Xcode. – pmdj Apr 16 '20 at 14:32
  • @toti so if you're still having trouble with that, please update the question with your code signing settings and entitlements for both extension and app targets, and the error you're currently getting. – pmdj Apr 16 '20 at 14:33
-1

I have a same issue with @tuti. I am testing a hello world System Extension base on Driver Kit. I am using free developer account, Mac mini Catatila, Xcode 11 to development. In my Xcode, I setting to don't sign my code for both application and system extension. I am also disable SIP and run command "systemextensionsctl developer on". But when I load my system extension from Swift application, it still show me the log "The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 8.)". When I look up the error 8, it means invalid signature. But in my computer, I can load an unsigned Kernel extension normally. So, I don't know why? I think the OS still check code signing for system extension regardless I disable SIP.

MacNewbie
  • 39
  • 2