coder · ThomasK33 · Mar 7, 2025 · Mar 5, 2025
diff --git a/.env b/.env
@@ -1,6 +1,9 @@
 # Build a release locally using: op run --env-file="./.env" -- make release
-APPLE_CERT="op://Apple/Apple DeveloperID PKCS12 base64/notesPlain"
-CERT_PASSWORD="op://Apple/DeveloperID p12 password/password"
+APPLE_CERT="op://Apple/Apple DeveloperID Application PKCS12 base64/notesPlain"
+CERT_PASSWORD="op://Apple/DeveloperID Application p12 password/password"
+
+APPLE_INSTALLER_CERT="op://Apple/Developer ID Installer PKCS12 base64/notesPlain"
+INSTALLER_CERT_PASSWORD="op://Apple/DeveloperID Installer Password/password"
 
 APPLE_ID="op://Apple/3apcadvvcojjbpxnd7m5fgh5wm/username"
 APPLE_ID_PASSWORD="op://Apple/3apcadvvcojjbpxnd7m5fgh5wm/password"

diff --git a/.ignore b/.ignore
@@ -1 +1,2 @@
 !.github
+!.ignore
diff --git a/Coder Desktop/Coder Desktop/NetworkExtension.swift b/Coder Desktop/Coder Desktop/NetworkExtension.swift
@@ -56,11 +56,11 @@ extension CoderVPNService {
         logger.debug("saving new tunnel")
         do {
             try await tm.saveToPreferences()
+            neState = .disabled
         } catch {
             logger.error("save tunnel failed: \(error)")
             neState = .failed(error.localizedDescription)
         }
-        neState = .disabled
     }
 
     func removeNetworkExtension() async throws(VPNServiceError) {
@@ -105,6 +105,7 @@ extension CoderVPNService {
         var tunnels: [NETunnelProviderManager] = []
         do {
             tunnels = try await NETunnelProviderManager.loadAllFromPreferences()
+            logger.debug("loaded \(tunnels.count) tunnel(s)")
         } catch {
             throw .internalError("couldn't load tunnels: \(error)")
         }

diff --git a/Coder Desktop/Coder Desktop/SystemExtension.swift b/Coder Desktop/Coder Desktop/SystemExtension.swift
@@ -29,6 +29,7 @@ protocol SystemExtensionAsyncRecorder: Sendable {
 extension CoderVPNService: SystemExtensionAsyncRecorder {
     func recordSystemExtensionState(_ state: SystemExtensionState) async {
         sysExtnState = state
+        logger.info("system extension state: \(state.description)")
         if state == .installed {
             // system extension was successfully installed, so we don't need the delegate any more
             systemExtnDelegate = nil

diff --git a/Coder Desktop/Coder Desktop/VPNService.swift b/Coder Desktop/Coder Desktop/VPNService.swift
@@ -30,9 +30,9 @@ enum VPNServiceError: Error, Equatable {
         case let .internalError(description):
             "Internal Error: \(description)"
         case let .systemExtensionError(state):
-            state.description
+            "SystemExtensionError: \(state.description)"
         case let .networkExtensionError(state):
-            state.description
+            "NetworkExtensionError: \(state.description)"
         }
     }
 

diff --git a/Coder Desktop/Coder Desktop/XPCInterface.swift b/Coder Desktop/Coder Desktop/XPCInterface.swift
@@ -14,7 +14,9 @@ import VPNLib
     }
 
     func connect() {
+        logger.debug("xpc connect called")
         guard xpc == nil else {
+            logger.debug("xpc already exists")
             return
         }
         let networkExtDict = Bundle.main.object(forInfoDictionaryKey: "NetworkExtension") as? [String: Any]
@@ -27,17 +29,21 @@ import VPNLib
         }
         xpc = proxy
 
+        logger.debug("connecting to machServiceName: \(machServiceName!)")
+
         xpcConn.exportedObject = self
         xpcConn.invalidationHandler = { [logger] in
             Task { @MainActor in
                 logger.error("XPC connection invalidated.")
                 self.xpc = nil
+                self.connect()
             }
         }
         xpcConn.interruptionHandler = { [logger] in
             Task { @MainActor in
                 logger.error("XPC connection interrupted.")
                 self.xpc = nil
+                self.connect()
             }
         }
         xpcConn.resume()

diff --git a/Coder Desktop/VPN/Info.plist b/Coder Desktop/VPN/Info.plist
@@ -2,8 +2,10 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-	<key>NSSystemExtensionUsageDescription</key>
-	<string></string>
+  <key>NSSystemExtensionUsageDescription</key>
+  <string>Extends the networking capabilities of macOS to connect this Mac to your workspaces.</string>
+  <key>CFBundleDisplayName</key>
+	<string>Coder Desktop Network Extension</string>
 	<key>NetworkExtension</key>
 	<dict>
 		<key>NEMachServiceName</key>

diff --git a/Coder Desktop/VPN/main.swift b/Coder Desktop/VPN/main.swift
@@ -32,6 +32,10 @@ final class XPCListenerDelegate: NSObject, NSXPCListenerDelegate, @unchecked Sen
             logger.info("active connection dead")
             self?.setActiveConnection(nil)
         }
+        newConnection.interruptionHandler = { [weak self] in
+            logger.debug("connection interrupted")
+            self?.setActiveConnection(nil)
+        }
         logger.info("new active connection")
         setActiveConnection(newConnection)
 
@@ -47,13 +51,15 @@ else {
     fatalError("Missing NEMachServiceName in Info.plist")
 }
 
-let globalXPCListenerDelegate = XPCListenerDelegate()
-let xpcListener = NSXPCListener(machServiceName: serviceName)
-xpcListener.delegate = globalXPCListenerDelegate
-xpcListener.resume()
+logger.debug("listening on machServiceName: \(serviceName)")
 
 autoreleasepool {
     NEProvider.startSystemExtensionMode()
 }
 
+let globalXPCListenerDelegate = XPCListenerDelegate()
+let xpcListener = NSXPCListener(machServiceName: serviceName)
+xpcListener.delegate = globalXPCListenerDelegate
+xpcListener.resume()
+
 dispatchMain()
diff --git a/Makefile b/Makefile
@@ -56,6 +56,10 @@ $(KEYCHAIN_FILE):
 	echo "$$APPLE_CERT" | base64 -d > $$tempfile; \
 	security import $$tempfile -P '$(CERT_PASSWORD)' -A -t cert -f pkcs12 -k "$(APP_SIGNING_KEYCHAIN)"; \
 	rm $$tempfile
+	@tempfile=$$(mktemp); \
+	echo "$$APPLE_INSTALLER_CERT" | base64 -d > $$tempfile; \
+	security import $$tempfile -P '$(INSTALLER_CERT_PASSWORD)' -A -t cert -f pkcs12 -k "$(APP_SIGNING_KEYCHAIN)"; \
+	rm $$tempfile
 	security list-keychains -d user -s $$(security list-keychains -d user | tr -d '\"') "$(APP_SIGNING_KEYCHAIN)"
 
 .PHONY: release
@@ -67,6 +71,7 @@ release: $(KEYCHAIN_FILE) ## Create a release build of Coder Desktop
 	./scripts/build.sh \
 		--app-prof-path "$$APP_PROF_PATH" \
 		--ext-prof-path "$$EXT_PROF_PATH" \
+		--version $(MARKETING_VERSION) \
 		--keychain "$(APP_SIGNING_KEYCHAIN)"; \
 	rm "$$APP_PROF_PATH" "$$EXT_PROF_PATH"
 

diff --git a/flake.nix b/flake.nix
@@ -25,30 +25,6 @@
           };
 
           formatter = pkgs.nixfmt-rfc-style;
-
-          create-dmg = pkgs.buildNpmPackage rec {
-            pname = "create-dmg";
-            version = "7.0.0";
-
-            src = pkgs.fetchFromGitHub {
-              owner = "sindresorhus";
-              repo = pname;
-              rev = "v${version}";
-              hash = "sha256-+GxKfhVDmtgEh9NOAzGexgfj1qAb0raC8AmrrnJ2vNA=";
-            };
-
-            npmDepsHash = "sha256-48r9v0sTlHbyH4RjynClfC/QsFAlgMTtXCbleuMSM80=";
-
-            # create-dmg author does not want to include a lockfile in their releases,
-            # thus we need to vendor it in ourselves.
-            postPatch = ''
-              cp ${./nix/create-dmg/package-lock.json} package-lock.json
-            '';
-
-            # Plain JS, so nothing to build
-            dontNpmBuild = true;
-            dontNpmPrune = true;
-          };
         in
         {
           inherit formatter;
@@ -60,7 +36,6 @@
                 actionlint
                 clang
                 coreutils
-                create-dmg
                 gh
                 git
                 gnumake