I don't know if the provisionprofile was invalidated, but after installation, when I checked /Applications.Runetale.app, I found that entitlements were not included correctly. The cause seems to be that the priority order of my custom scripts was wrong. Thank you and Apple's engineers for your support.

Consecutive posts are not permitted. I noticed something strange. I noticed that a while after creating a provisionprofile used in NetworkExtension, the status was displayed as invalid.

automation package installer script I'm using looks like this: set -euo pipefail APP_NAME="Runetale.app" APP_BUNDLE="build/macos/Build/Products/Release/${APP_NAME}" DEV_ID_APP_CERT="Developer ID Application: MYTEAMID" DEV_ID_INSTALLER_CERT="Developer ID Installer: MYTEAMID" APP_VERSION="1.0.0" APP_BUNDLE_ID="com.runetale.desktop" # Apple credentials for notarization APPLE_ID="" TEAM_ID="" APP_SPECIFIC_PW="" # clean and build rm -rf build flutter clean flutter build macos --release # Ensure the app exists if [ ! -d "$APP_BUNDLE" ]; then echo "Error: $APP_BUNDLE not found. Make sure the app bundle is present." exit 1 fi echo "Starting code signing for $APP_BUNDLE..." # copy Runetale.app codesign -d -vvv build/macos/Build/Products/Release/Runetale.app ditto $APP_BUNDLE $APP_NAME # copy entitlements codesign -d --entitlements Release.entitlements --xml Runetale.app codesign -d --entitlements PacketTunnelRelease.entitlements --xml Runetale.app/Contents/Library/SystemExtensions/com.runetale.desktop.PacketTunnel.systemextension plutil -convert xml1 PacketTunnelRelease.entitlements plutil -convert xml1 Release.entitlements cat PacketTunnelRelease.entitlements cat Release.entitlements ## IMPORTANT: https://developer.apple.com/forums/thread/737894 # added -systemextension prefix for network extension echo "Adding both entitlements to -systemextension..." update_entitlement_file() { local file="$1" local target="packet-tunnel-provider-systemextension" local original="packet-tunnel-provider" echo "Checking $file..." if grep -q "$target" "$file"; then echo " -> $file already contains $target, skipping replacement." elif grep -q "$original" "$file"; then echo " -> Replacing $original with $target in $file..." sed -i '' "s/$original/$target/g" "$file" echo " -> Replaced $original with $target" else echo " -> No network extension value to update." fi if grep -q "<key>com.apple.security.get-task-allow</key>" "$file"; then echo " -> Removing com.apple.security.get-task-allow block..." sed -i '' '/<key>com.apple.security.get-task-allow<\/key>/{ N /<true\/>/d }' "$file" sed -i '' '/^[[:space:]]*$/d' "$file" echo " -> Removed com.apple.security.get-task-allow" else echo " -> get-task-allow not found." fi } update_entitlement_file "Release.entitlements" update_entitlement_file "PacketTunnelRelease.entitlements" echo "Moving provisionprofile..." # copy provisioning profile cp Runetale_Release.provisionprofile Runetale.app/Contents/embedded.provisionprofile cp Runetale_Desktop_PacketTunnel_Profile.provisionprofile Runetale.app/Contents/Library/SystemExtensions/com.runetale.desktop.PacketTunnel.systemextension/Contents/embedded.provisionprofile # signing PacketTunnel and App echo "CodeSigning Runetale App with entitlements..." codesign -s "$DEV_ID_APP_CERT" -f --entitlements Release.entitlements --timestamp -o runtime Runetale.app/ codesign -s "$DEV_ID_APP_CERT" -f --entitlements PacketTunnelRelease.entitlements --timestamp -o runtime Runetale.app/Contents/Library/SystemExtensions/com.runetale.desktop.PacketTunnel.systemextension echo "CodeSigning $APP_NAME with Contents, Resources and Frameworks..." # Contents if compgen -G "$APP_NAME/Contents/MacOS/*" > /dev/null; then for bin in "$APP_NAME/Contents/MacOS/"*; do if [ -f "$bin" ]; then echo " -> Signing $bin" codesign --force --options runtime --timestamp --sign "$DEV_ID_APP_CERT" "$bin" fi done fi # Frameworks find "$APP_NAME/Contents/Frameworks" -type f -perm +111 -print0 | while IFS= read -r -d '' bin; do echo "Signing: $bin" codesign --force --timestamp --options runtime --sign "$DEV_ID_APP_CERT" "$bin" done # Resources if [ -f "$APP_NAME/Contents/Resources/runetale" ]; then echo " -> Signing Resources/runetale" codesign --force --options runtime --timestamp --sign "$DEV_ID_APP_CERT" "$APP_NAME/Contents/Resources/runetale" fi if [ -f "$APP_NAME/Contents/Resources/runetaled" ]; then echo " -> Signing Resources/runetaled" codesign --force --options runtime --timestamp --sign "$DEV_ID_APP_CERT" "$APP_NAME/Contents/Resources/runetaled" fi # Runetale codesign --force --options runtime --timestamp --sign "$DEV_ID_APP_CERT" Runetale.app/Contents/MacOS/Runetale echo "Building signed installer package..." # Prepare package root and build the installer .pkg echo "Preparing pkg root for $APP_BUNDLE..." PKG_ROOT="pkg-root" rm -rf "$PKG_ROOT" 2>/dev/null || true mkdir -p "$PKG_ROOT/Applications" # Copy the app into the package root cp -R "$APP_NAME" "$PKG_ROOT/Applications/$APP_NAME" # Create CimponentPlist and set BundleIsRelocatable to false pkgbuild --analyze --root $PKG_ROOT RunetaleComponent.plist /usr/libexec/PlistBuddy -c "Set :0:BundleIsRelocatable false" RunetaleComponent.plist PKG_NAME="Runetale-"$APP_VERSION"-Installer.pkg" # Create package installer pkgbuild --root $PKG_ROOT \ --component-plist RunetaleComponent.plist \ --identifier "$APP_BUNDLE_ID" \ --version "$APP_VERSION" \ --install-location "/" \ --sign "$DEV_ID_INSTALLER_CERT" \ "$PKG_NAME" # Sign the package INSTALLER_NAME=Installer.pkg productsign --sign "$DEV_ID_INSTALLER_CERT" $PKG_NAME $INSTALLER_NAME # Notarize the package xcrun notarytool submit "$INSTALLER_NAME" \ --apple-id "$APPLE_ID" \ --team-id "$TEAM_ID" \ --password "$APP_SPECIFIC_PW" \ --wait xcrun stapler staple "$INSTALLER_NAME" echo "Notarized package built at: $INSTALLER_NAME"

@DTS Engineer Thank you. I read the documentation provided by Apple engineers. I was able to create the installer successfully and launch the application. However, when I try to connect to the VPN, I get the following error: default 16:53:58.419606+0900 Runetale Saving configuration Runetale with existing signature (null) error 16:53:58.420440+0900 Runetale Failed to save configuration Runetale: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied} error 16:53:58.420474+0900 Runetale Failed to save configuration: Error Domain=NEVPNErrorDomain Code=5 "permission denied" UserInfo={NSLocalizedDescription=permission denied} error 16:53:58.420407+0900 nehelper Runetale Failed to obtain authorization right for 3: no authorization provided Is there any possible reason for this? The entitlements look like this: App entitlements <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>myteamid.com.runetale.desktop</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>myteamid</string> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.application-groups</key> <array> <string>myteamid.com.runetale.desktop</string> </array> <key>com.apple.security.files.user-selected.read-only</key> <true/> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> </plist> NetworkExtension entitlements <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>com.apple.application-identifier</key> <string>VH5RTVGP6D.com.runetale.desktop.PacketTunnel</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider-systemextension</string> </array> <key>com.apple.developer.team-identifier</key> <string>VH5RTVGP6D</string> <key>com.apple.security.app-sandbox</key> <false/> <key>com.apple.security.application-groups</key> <array> <string>VH5RTVGP6D.com.runetale.desktop</string> </array> </dict> </plist> And the automation script I'm using looks like this: Due to character limit, I will paste it in the next comment. Sorry. What I am careful about Do not use codesign force Include -systemextension in entitlements Sign other frameworks, resources, etc. Copy the provisionprofile created from the Developer Account Since I am able to install and start the package installer the way it is currently made, I think the cause might be that the provisionprofile isn't set up properly. any idea?

@DTS Engineer thank you. I'll read the article you posted and give it a try. I'll post again if I have any questions.