[NET8] macOS app with AdditionalAppExtensions not available for testing in TestFlight

[tipa]

Steps to Reproduce

I have added a sharing extension to my macOS app using AdditionalAppExtensions.

• Build .NET8 macOS app (dotnet publish)
• Upload app package using Apple Transporter app

Under "macOS builds" -> "Store information" everything looks similar to previous versions, just with that (expected) additional part:

MyApp.app/Contents/PlugIns/ShareExtension Mac.appex/Contents/MacOS/ShareExtension Mac
    com.apple.security.files.user-selected.read-only: true
    com.apple.security.application-groups: ( "group.xyz.myapp" )
    com.apple.security.app-sandbox: true

csproj:

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>net8.0-macos</TargetFramework>
    <OutputType>Exe</OutputType>
    <RootNamespace>MyApp</RootNamespace>
    <AssemblyName>MyApp</AssemblyName>
    <_Platform>macOS</_Platform>
    <NoWarn>IDE0044;IDE1006;XI0001;CA2211</NoWarn>
    <SupportedOSPlatformVersion>11.0</SupportedOSPlatformVersion>
    <EnableCodeSigning>true</EnableCodeSigning>
    <CodesignEntitlements>Entitlements.plist</CodesignEntitlements>
    <CodeSignProvision>Automatic</CodeSignProvision>
    <CodesignKey>Apple Development: Timo P (...)</CodesignKey>
    <!-- https://github.com/xamarin/xamarin-macios/issues/19397 -->
    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)' == 'Release'">
    <TrimMode>full</TrimMode>
    <CodesignKey>Apple Distribution: Timo P (...)</CodesignKey>
    <EnablePackageSigning>true</EnablePackageSigning>
    <!-- https://github.com/xamarin/xamarin-macios/issues/19432#issuecomment-1833979884 -->
    <NoDSymUtil>false</NoDSymUtil>
  </PropertyGroup>
  <ItemGroup>
--- nuget packages ----
  </ItemGroup>
  <ItemGroup>
    <AdditionalAppExtensions Include="../native">
      <Name>ShareExtension Mac</Name>
      <BuildOutput>build/$(Configuration)</BuildOutput>
    </AdditionalAppExtensions>
  </ItemGroup>
</Project>

Expected Behavior

The app is testable

Actual Behavior

The app shows as "Not available for testing" in App Store Connect

Maybe related to this issue

[rolfbjarne]

I agree that this looks signing-related somehow.

Does the app pass the automated app verification if you try to publish it? Sometimes you get better error messages then.

Can you attach a binlog? That would show me how the extension is being signed.

[tipa]

I don't want to publish the app because I want to test the app via TestFlight first. Or what automated app verification are you referring to? I can submit a build with the extension to certification (with manual publish enabled, so no user receives the update) after my current update rolled out completely.
I have sent you a binlog in a direct message

[rolfbjarne]

I don't want to publish the app because I want to test the app via TestFlight first. Or what automated app verification are you referring to? I can submit a build with the extension to certification (with manual publish enabled, so no user receives the update) after my current update rolled out completely.

I got confused; you usually get an email after uploading a build to App Store Connect saying if there were any validation failures/warnings, I'm assuming this email doesn't mention any problems?

That said, I tried this, and my test app works fine with TestFlight. The "Store Information" about the build says:

Entitlements
AdditionalAppExtensionConsumer.app/Contents/MacOS/AdditionalAppExtensionConsumer
    com.apple.application-identifier: TGFVQHFHZF.com.xamarin.additionalappextensionconsumer
    com.apple.security.cs.allow-jit: true
    com.apple.developer.team-identifier: TGFVQHFHZF
    com.apple.security.app-sandbox: true
AdditionalAppExtensionConsumer.app/Contents/PlugIns/NativeIntentsExtension.appex/Contents/MacOS/NativeIntentsExtension
    com.apple.security.files.user-selected.read-only: true
    com.apple.security.app-sandbox: true

So I don't know what the problem might be.

What happens if you create a temporary Xcode container project with the same bundle identifier and entitlements as the main iOS project, and then add this extension, can you publish that to TestFlight?

[tipa]

No I haven't received any mail from Apple with more details about the problem.

What happens if you create a temporary Xcode container project with the same bundle identifier and entitlements as the main iOS project, and then add this extension, can you publish that to TestFlight?

Yes, I have created a Swift-wrapper project with the app extension embedded and there is no error in TestFlight with that build. When comparing the "Store Information" sections, I noticed that the Swift-app created by XCode contains the com.apple.application-identifier & com.apple.developer.team-identifier entitlements in both main app and extension, while the .NET-app only shows those items only under the main app. This reminded me of this issue I experienced when adding my extension to my iOS app.
So first thing I tried is to apply the same workaround that I did for my iOS app (manually write the application-identifier into the Entitlements-file before building extension + app). That didn't work - xcodebuild errored out with Provisioning profile "...." doesn't include the application-identifier entitlement. So I tried adding the application-identifier after building the extension but before building the main app + bundling it. That worked and I tried uploading the resulting .pkg file, but now TestFlight errors out with

ERROR ITMS-90285: "Invalid Code Signing Entitlements. Your application bundle's signature contains code signing entitlements that are not supported on macOS. Specifically, key 'application-identifier' in 'mac.xyz.MyApp.pkg/Payload/MyApp.app/Contents/PlugIns/ShareExtensionMac.appex/Contents/MacOS/ShareExtensionMac' is not supported." (-18000)

I am happy to provide more information (e.g. the .pkg file) if needed. Not sure if it matters but in your example there isn't any App Group or other entitlement specified - maybe that makes a difference?

[rolfbjarne]

Can you try using com.apple.application-identifier instead of application-identifier?

I believe the name is different between iOS and macOS:

https://github.com/xamarin/xamarin-macios/blob/107d644b55738a9390295de9cc551f12e039a459/msbuild/Xamarin.MacDev.Tasks/Tasks/CompileEntitlementsTaskBase.cs#L19-L20

https://github.com/xamarin/xamarin-macios/blob/107d644b55738a9390295de9cc551f12e039a459/msbuild/Xamarin.MacDev.Tasks/Tasks/CompileEntitlementsTaskBase.cs#L33-L34

[tipa]

Right - I overlooked that the name is slightly different.
After changing it to com.apple.application-identifier TestFlight accepts the build and I can download & test the app + extension. So probably this is pretty much the same issue as this one.

I didn't have to specify com.apple.developer.team-identifier in order to get it to work, even though the XCode/Swift-app included it in the Entitlements - not sure if there are any benefits of (not) adding it

[rolfbjarne]

Yes, this seems like a duplicate of #19243, just for macOS instead of iOS.