Open sam49358 opened 7 months ago
Aloha, Apologies - I haven't had time yet to double check all these steps, but that error indicates that macOS is not happy with the resigned/re-bundled extension 😔
tl;dr I guessing its failing as you don't have the System Extension entitlement?
That error is thrown here: https://github.com/objective-see/LuLu/blob/4136b68d40f01e64d6d9f68f875391782c308e4d/LuLu/App/AppDelegate.m#L162C2-L162C2
The toggleExtension
method can be found here:
https://github.com/objective-see/LuLu/blob/4136b68d40f01e64d6d9f68f875391782c308e4d/LuLu/App/Extension.m#L22
You can see that it just calls into the OSSystemExtensionRequest
/ OSSystemExtensionManager
APIs ...which are the macOS System Extension APIs to activate a system extension.
You can read all about this in a recent talk I gave: https://speakerdeck.com/patrickwardle/nothing-but-net-leveraging-macoss-networking-frameworks-to-heuristically-detect-malware
If I had to guess these macOS APIs are failing as you don't have the necessary "System Extension" entitlement that must be explicty granted to you by Apple:
On Apple developer site, you can find a link to apply for the this entitlement: https://developer.apple.com/contact/request/system-extension/
I'd suggest
Hope this helps ...and I totally feel your pain, re-compiling open-source apps for macOS is next to impossible (because of entitlements, leveraged by Apple): https://twitter.com/patrickwardle/status/1297384808872415234
Thank you for the details! I ended up switching to another OS firewall but will return to LuLu if I run into issues there. I will leave this 'issue' open for future devs that want to try compiling LuLu
Hello o/
I'm reproducing this step-by-step and reach at the same error as @sam49358. When I was creating the identifier, I enable the System Extension, idk if is enough. Also, I tried to turn off the SIP and launch again the application, but error still appear.
Suggestions to just build and test or the only way is ask to Apple for System Entitlement?
Any help would be appreciated @objective-see :).
I have faced the same problems as @sam49358 and I would like to highlight some steps that were missed.
In the LuLu App, along with both targets (LuLu and Extensions), there are some mismatches in build settings in XCode e.g. Product Name. Those values must match your bundle. But these things are not enough to build the application.
I checked the syslogs with log stream --level debug --predicate="subsystem='com.objective-see.lulu'"
and see that this method
request OSSystemExtensionRequest
API with EXT_BUNDLE_ID
const defined in LuLu/Shared/consts.h
.
Therefore, if you are signing the software with your own certificate and bundle, you will need to change all references in LuLu/Shared/consts.h
. Additionally, if the software is not notarized by Apple, you will need to disable SIP.
My solution to this issue is to place the hardcoded code part in a configuration file, which would simplify the process. I will be opening a pull request with the appropriate changes soon."
Sidenote: OP's directions need an update to include making an app group id and associating it with each app id, inter alia
tl;dr look to empty out rg --binary -P 'VBG97UB4TA|com.objective-see.(?!Netiquette)'
(Edit: and maybe git mv Uninstaller/Uninstaller/ConfigFiles/com.objective-see.lulu.plist …
)
As to moving forward, Yeah, as above, the core reported error from sysextd
is
bundle identifier and service path did not match (com.objective-see.lulu.extension !=
$my_registered_app_id
.lulu.extension)
(and systemextensionctl developer on
is no help; I think my SIP and "boot security" stuff is already pretty permissive)
I'm frankly surprised that the notarization servers will return an artifact with that sort of mismatch but c'est la vie
Haven't gotten a green light yet, but think I[^1] should be good next round [EDIT 2: in fact yes; all worked fine / as designed] with changes, as of 2cc936b1763572480db7d08a78920c080caec5a2, as:
$ git diff --stat
LuLu/App/App.entitlements | 2 +-
LuLu/Extension/Extension.entitlements | 2 +-
LuLu/Extension/Info.plist | 2 +-
LuLu/Extension/main.m | 2 +-
LuLu/LuLu.xcodeproj/project.pbxproj | 58 +++++++++++++++++++++++++++++++++++-----------------------
LuLu/Shared/consts.h | 20 ++++++++++----------
Uninstaller/Helper/HelperInterface.m | 4 ++--
Uninstaller/Helper/Info.plist | 4 ++--
Uninstaller/Helper/Launchd.plist | 4 ++--
Uninstaller/Shared/consts.h | 16 ++++++++--------
Uninstaller/Uninstaller.xcodeproj/project.pbxproj | 46 ++++++++++++++++++++++++----------------------
Uninstaller/Uninstaller.xcodeproj/xcshareddata/xcschemes/helper.xcscheme | 6 +++---
Uninstaller/Uninstaller/ConfigFiles/com.objective-see.lulu.plist | 4 ++--
Uninstaller/Uninstaller/Info.plist | 4 ++--
Uninstaller/Uninstaller/Script/configure.sh | 6 +++---
15 files changed, 97 insertions(+), 83 deletions(-)
and for completeness here is:
git commit -am "the changes" && git format-patch HEAD~1 && \<br>
sed -i'' -e "s/${REDACTED_APP_ID_PREFIX}/your.bundle.id/g;s/${REDACTED_TEAM_ID}/UR73AMID/g" ./0001-the-changes.patch <br>
# I have no idea why I'm acting like these are sensitive
# ... but I mean, you definitely don't want mine, they won't work for you
# You probs also don't want my provisioning profile names, "Lilith Lulu App" and "Lilith Lulu Extension",
#nor the couple "Donald Guy"s that replaced "Objective See, LLC"s but I'm too lazy to remove those
[^1]: probs-overkill-having not just registered $(TeamIdentifierPrefix)com.objective-see.lulu
but rather a whole different reverse-domain bundle ID - thinking, without evidence, apple would balk if left as is); and also chasing things that maybe aren't needed-to-make like the launchd plist names, etc. )
If you are _only_ aiming to wipe out the `VBG97UB4TA` of it all there are only 16 of those.
Notes:
Step-By-Step:
Currently blocked at this step and not sure how to move forward. Any help would be appreciated @objective-see