NE System Extension stuck on Validation By Category

Question

Created May ’25

Replies 3

Boosts 0

Participants 2

Hello, I'm having some problems when install my Packet Tunnel network extension as system extension on my mac(macos 15.0). It stuck on Validation By Category. (it works well as NE app extension on ios)

systemextensionsctl list
	--- com.apple.system_extension.network_extension
	enabled active  teamID  bundleID (version)      name    [state]
	  <...>      com.myteam.balabalabla.ne (1.0/1)   -       [validating by category]

This is my install System Extension Code sample

    public class SystemExtension: NSObject, OSSystemExtensionRequestDelegate {
        private let forceUpdate: Bool
        private let inBackground: Bool
        private let semaphore = DispatchSemaphore(value: 0)
        private var result: OSSystemExtensionRequest.Result?
        private var properties: [OSSystemExtensionProperties]?
        private var error: Error?

        private init(_ forceUpdate: Bool = false, _ inBackground: Bool = false) {
        }

       // some request function i overwrite

        public func activation() throws -> OSSystemExtensionRequest.Result? {
            let request = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: FilePath.packageName + ".myNeName", queue: .main)
            request.delegate = self
            OSSystemExtensionManager.shared.submitRequest(request)
            semaphore.wait()
            if let error {
                throw error
            }
            return result
        }

        public func getProperties() throws -> [OSSystemExtensionProperties] {
            let request = OSSystemExtensionRequest.propertiesRequest(forExtensionWithIdentifier: FilePath.packageName + ".myNeName", queue: .main)
            request.delegate = self
            OSSystemExtensionManager.shared.submitRequest(request)
            semaphore.wait()
            if let error {
                throw error
            }
            return properties!
        }

        public nonisolated static func install(forceUpdate: Bool = false, inBackground: Bool = false) async throws -> OSSystemExtensionRequest.Result? {
            try await Task.detached {
                try SystemExtension(forceUpdate, inBackground).activation()
            }.result.get()
        }

        public nonisolated static func uninstall() async throws -> OSSystemExtensionRequest.Result? {
            try await Task.detached {
                try SystemExtension().deactivation()
            }.result.get()
        }
    }

    // And other methods

I follow this post Your Friend the System Log and use this command line to collect log. After I initiated the system extension request sudo log collect --last 5m

Here is my log (),I only pasted some code snippets that caught me, full version see attachments.(only include com.apple.sysextd), if need more, plz ask me.

1. Some policy missing

```log
22:00:13.818257 `sysextd` extension mockTeamID app.balabala.com.mockbalabala (1.0/1) advancing state from staging to validating
22:00:13.818263 sysextd returning cdhash for local arch arm64 of extension app.balabala.com.mockbalabala
info  2025-05-01 22:00:13.818336 sysextd Extension with identifier <private> reached state <private>
22:00:13.819185 sysextd [0x9a2034b00] activating connection: mach=false listener=false peer=false name=com.apple.CodeSigningHelper
22:00:13.819911 sysextd [0x9a2034b00] invalidated after the last release of the connection object
22:00:13.821024 sysextd making activation decision for extension with teamID teamID("mockTeamID ), identifier app.balabala.com.mockbalabala
22:00:13.821026 sysextd no related kext found for sysex `app.balabala.com.mockbalabala`
22:00:13.821027 sysextd no extension policy -- activation decision is UserOption

nesessionmanager.system-extensions interrupted


22:00:14.313576 sysextd [0x9a2178280] invalidated because the client process (pid 1886) either cancelled the connection or exited

22:00:14.542154 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted

22:00:14.542319 sysextd [0x9a2178000] Re-initialization successful; calling out to event handler with XPC_ERROR_CONNECTION_INTERRUPTED

22:00:14.542351 sysextd connection to com.apple.nesessionmanager.system-extensions interrupted

22:00:14.589375 nesessionmanager  [0x6c80e4500] activating connection: mach=true listener=false peer=false name=com.apple.sysextd

And when i debug the System Extension code i notice the request Error catch by didFailWithError

        public func request(_: OSSystemExtensionRequest, didFailWithError error: Error) {
            self.error = error
            semaphore.signal()
        }

error is

OSSystemExtensionErrorDomain code 1

This problem has been bothering me for a long time, I would appreciate any help, if need more info, comment, thank you.

Answered by DTS Engineer in 838431022

I explain the validating by category issue in this thread, starting at this post. I’m not sure that’ll be enough to get you fully unstuck, but it’s a place to start.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

May ’25

Recommended

I explain the validating by category issue in this thread, starting at this post. I’m not sure that’ll be enough to get you fully unstuck, but it’s a place to start.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

AcmeHHH OP

May ’25

Hi @DTS Engineer Eskimo,

Thank you for your previous response.

I’ve carefully reviewed the post you shared and verified each point mentioned. My issue appears to be identical (even in log details) to the one described in this thread.

At the end of the discussion, you noted that this was a system-related issue and explained how NEMachServiceName should be configured. I followed your instructions, but I’m still encountering a failure during the "validate by category" step. I’m unsure whether the original poster managed to resolve it.

After further troubleshooting without success, I revisited your series of posts on Network Extension and System Extension.

You mentioned that during daily development, it’s generally recommended to avoid using a Developer ID for signing. Acting on this advice, I removed the

OSSystemExtensionRequest.activationRequest

code and instead used an Apple Development signing identity to package the Network Extension as a standard app extension. My goal was to successfully launch the extension on macOS.

The switch to the Apple Development identity and the related adjustments proceeded smoothly, and the app ran without issues until I attempted to start the Network Extension.

The process stalled again, with the logs indicating:

Found 0 registrations for my.bundleId.networkExtension

Interestingly, the same logic works perfectly on iOS.

I revisited your posts and noticed your remark about app extensions on macOS being less stable. This let me to explore using PluginKit to manually register the extension.

However, when I ran:

pluginKit -a /path/to/myExtension

…nothing happened. I also tried: pluginKit -m

…but my extension didn’t appear in the list.

Could this be due to an error in my usage of PluginKit, or is there an underlying issue in my implementation?

At this stage, I believe the priority is to ensure the .appex works on macOS, not just iOS, and then proceed with exporting it independently using a Developer ID.

Thank you again for your time and assistance. I’d greatly appreciate any further guidance.

Best regards.

0

Answer 3

DTS Engineer OP

Apple

May ’25

Accepted Answer

I’m unsure whether the original poster managed to resolve it.

That resolved it by making their Mach service name a ‘child’ of their app group. In my tests those were:

SKMME9E2Y8.com.example.apple-samplecode.QNE2DNSProxyMac.service — NEMachServiceName value
SKMME9E2Y8.com.example.apple-samplecode.QNE2DNSProxyMac — app group value

Do you see any relevant crash reports? In the other thread there were crash reports for both sysextd and nesessionmanager, with the latter being the relevant one.

You mentioned that during daily development, it’s generally recommended to avoid using a Developer ID for signing. Acting on this advice

Hmmmm, that’s not quite where I was going with that advice. There are two axes here:

Packaging, that is, a sysex or an appex
Signing, that is, for development, for App Store distribution, and for direct distributing using Developer ID

They are mostly independent, the exceptions being:

For distribution, we only support the appex packaging on the App Store.
And for direct distribution, you have do the dance described in Exporting a Developer ID Network Extension

However, you’re at the development stage, so neither of those matter. Apple Development signing supports both appex and sysex packaging, and given that your final goal is to ship a sysex then I think that it’s best to focus on that for the moment.

This is exactly the setup I describe in the System Extension Hints section of Debugging a Network Extension Provider.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1