Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing to create service in MacOS Ventura #58

Closed
phatmandrake opened this issue Nov 8, 2022 · 9 comments
Closed

Failing to create service in MacOS Ventura #58

phatmandrake opened this issue Nov 8, 2022 · 9 comments

Comments

@phatmandrake
Copy link

Debug output tail

Adding Service <SCNetworkService 0x6000004d0d00 [0x7ff85d38ce90]> {id = 8C3A4189-C2C9-4609-AE5E-62CDF0A5BC96, prefs = 0x7f7d46004590, name = <SERVICE>} to networkSet <SCNetworkSet 0x600001fd4a80 [0x7ff85d38ce90]> {id = 982B37A5-4F27-4D87-95EA-D7E24A1839DF, prefs = 0x7f7d46004590, new}...
Added successfully to networkSet...
Preparing to add Keychain items for service <SERVICE>...
Creating PPP Keychain Item...
Creating Password Keychain Item with ID 8C3A4189-C2C9-4609-AE5E-62CDF0A5BC96
Creating System Keychain for <SERVICE> with service 8C3A4189-C2C9-4609-AE5E-62CDF0A5BC96 and account   and description PPP Password and password? true
Retrieving System Keychain...
Successfully retrieved System Keychain
Unlocking System Keychain...
Succeeded unlocking System Keychain
Could not create trusted application: Optional(UNIX[No such file or directory])

Also hi.
@halo
Copy link
Owner

halo commented Nov 8, 2022

Thank you for posting this.

The used method appears to be deprecated.

I did not find an alternative yet (hopefully there is one at all). Also, I'd have to double-check whether this occurs on all Ventura machines or just yours 😅

@meysq
Copy link

meysq commented Nov 8, 2022

+1 on this - macosvpn is unable to create with the same error on every Ventura machine we have. Bummer to hear that it's deprecated, hope this can be fixed in some way!

@machinas-achim
Copy link

Confirmed on several instances of Ventura as a result of the deprecated API. From the thread you posted above, "[t]he problem is that this entire concept is deprecated."

@bhansontbg
Copy link

The issue isn't that the method is deprecated, the method still exists in the OS. The file path of the network preference pane has moved. I have attached an updated version of Keychain.CreateItem.swift that should fix this issue.

Keychain.CreateItem.swift.zip

halo added a commit that referenced this issue Nov 11, 2022
@halo
Fix XPC service path for Ventura compatibility
f493868 
See #58 (comment)
Thank you @bhansontbg!!
@halo
Copy link
Owner

halo commented Nov 11, 2022
edited

Where did you come from?

Thank you @bhansontbg for fixing this, totally out of nowhere, can you always do this when I find bugs? 😂

I updated the code, bumped to version 2.0.0 and tests are passing for macOS Monterey. Could somebody please check if it worked on Ventura? I don't have an M1-executable at hand.

This is the release (the attached executable was built for x64, in case you can't build it from scratch).

@bhansontbg
Copy link

@halo - Thanks for the praise, I appreciate it!

I downloaded the binary and tried to run it on my M1 mac (Monterey) and Intel mac (Ventura). On both systems I encountered the following error:

You wish to create one or more VPN service(s)
Obtaining Authorization...
Creating Authorization Failed. Unable to obtain authorization for this operation. (Security Framwork Error Code -60008).

What is curious is, when I run the executable generated from xcode, from the xcode release directory, the program works - here is some example output from Ventura: https://pastebin.com/uEb4qXcZ . However, when I copy the same executable to a new location on the file system, the executable fails to unlock the keychain, producing the "Creating Authorization Failed" error above.

I believe this happens in Authorizations.swift, and is unrelated to the Ventura error. I believe there is some kind of application signing requirement for macOS in both Ventura and Montery, where an application compiled and ran from xcode may open and modify the keychain, but when it is put into another location it is sandboxed and prevented from modifying the keychain. Unfortunately, I don't know much about macOS gatekeeper, sandboxing, or application signing requirements, so I was hoping maybe you would have some insight into the issue. Do you have any thoughts?

@bhansontbg
Copy link

@halo

Sorry, disregard everything I said. It works fine, for some reason it just can't be executed from the Desktop. Tested working on Intel mac running Ventura, fails with "Killed: 9" on M1 running Monterey.

I have tested the release from my xcode environment compiled as a universal binary, and it worked on both of my systems.

@halo
Copy link
Owner

halo commented Nov 15, 2022

That's wonderful news! Thank you so much. I also just noticed that what I published there in my draft release was actually a universal binary (I never updated that setting and thought I had only built a x64).

I'll make the release official so that homebrew picks it up.

I don't know much about how to handle gatekeeper either. As with everything about this tool, I just go down the rabbit hole and maybe come out again and with some luck it works :)

Again, thank you very much for investing this issue and putting your time into it.

@halo halo closed this as completed Nov 15, 2022
@machinas-achim
Copy link

@halo those are great news indeed, until the next release when the function might get removed for real :-) Thank you @bhansontbg for that fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@halo @meysq @machinas-achim @phatmandrake @bhansontbg