Post

Replies

Boosts

Views

Activity

Reply to `sysextd` rejects new `NEFilterDataProvider` activation with "no policy" on macOS 26 — despite valid Developer ID + notarization
I'm hitting the identical issue with a NEPacketTunnelProvider system extension on macOS 26.2 (25C56), Apple M1 Pro, Xcode 26.4. Developer ID signed, app in /Applications, no quarantine, no MDM. Context: I'm building a WireGuard-based VPN client. The app was previously working as an app extension (.appex with packet-tunnel-provider entitlement). I migrated to the system extension model for Developer ID distribution — .systemextension bundle in Contents/Library/SystemExtensions/, CFBundlePackageType SYSX, Mach-O MH_EXECUTE, NEProviderClasses in Info.plist, systemextensionsctl developer on. I've verified: App runs from /Applications (confirmed via ps aux) No com.apple.quarantine xattr Developer ID Application signing on both app and extension, same certificate, same team (verified via codesign -dvvv) Correct entitlements: com.apple.developer.system-extension.install on host app, packet-tunnel-provider-systemextension on both embedded.provisionprofile present in both app and extension PkgInfo contains SYSX Tested with both debug builds copied to /Applications and archived + exported Developer ID builds No nesessionmanager crash reports in DiagnosticReports The sysextd logs are identical to yours: sysextd: [com.apple.sx:XPC] client activation request for com.avd.wireguard.network-extension sysextd: attempting to realize extension with identifier com.avd.wireguard.network-extension [SecKeyVerifySignature x2, SecTrustEvaluateIfNecessary x2 — all pass] sysextd: no policy, cannot allow apps outside /Applications sysextd: [com.apple.sx:XPC] client connection (pid XXXXX) invalidated The activation never advances past the realize phase — no staging, no validating_by_category. The extension never appears in systemextensionsctl list. The app receives OSSystemExtensionError code 4 (extensionNotFound). This is a fresh system extension identifier that has never been activated on this machine before, which matches your observation that pre-existing activations from earlier macOS versions continue to work. I'd appreciate any update on whether this has been confirmed as a Tahoe regression. Happy to provide a sysdiagnose or a minimal reproducer project.
Topic: App & System Services SubTopic: Networking Tags:
3w
Reply to `sysextd` rejects new `NEFilterDataProvider` activation with "no policy" on macOS 26 — despite valid Developer ID + notarization
I'm hitting the identical issue with a NEPacketTunnelProvider system extension on macOS 26.2 (25C56), Apple M1 Pro, Xcode 26.4. Developer ID signed, app in /Applications, no quarantine, no MDM. Context: I'm building a WireGuard-based VPN client. The app was previously working as an app extension (.appex with packet-tunnel-provider entitlement). I migrated to the system extension model for Developer ID distribution — .systemextension bundle in Contents/Library/SystemExtensions/, CFBundlePackageType SYSX, Mach-O MH_EXECUTE, NEProviderClasses in Info.plist, systemextensionsctl developer on. I've verified: App runs from /Applications (confirmed via ps aux) No com.apple.quarantine xattr Developer ID Application signing on both app and extension, same certificate, same team (verified via codesign -dvvv) Correct entitlements: com.apple.developer.system-extension.install on host app, packet-tunnel-provider-systemextension on both embedded.provisionprofile present in both app and extension PkgInfo contains SYSX Tested with both debug builds copied to /Applications and archived + exported Developer ID builds No nesessionmanager crash reports in DiagnosticReports The sysextd logs are identical to yours: sysextd: [com.apple.sx:XPC] client activation request for com.avd.wireguard.network-extension sysextd: attempting to realize extension with identifier com.avd.wireguard.network-extension [SecKeyVerifySignature x2, SecTrustEvaluateIfNecessary x2 — all pass] sysextd: no policy, cannot allow apps outside /Applications sysextd: [com.apple.sx:XPC] client connection (pid XXXXX) invalidated The activation never advances past the realize phase — no staging, no validating_by_category. The extension never appears in systemextensionsctl list. The app receives OSSystemExtensionError code 4 (extensionNotFound). This is a fresh system extension identifier that has never been activated on this machine before, which matches your observation that pre-existing activations from earlier macOS versions continue to work. I'd appreciate any update on whether this has been confirmed as a Tahoe regression. Happy to provide a sysdiagnose or a minimal reproducer project.
Topic: App & System Services SubTopic: Networking Tags:
Replies
Boosts
Views
Activity
3w