Post not yet marked as solved
I have several executables, and I want them to be able to trust each other, since they grew up together and have had many bonding adventures together.
When getting an XPC (or AppleEvents, thank you Quinn 😄) from another process, is there an easy way to find out if the other process is signed the same way the receiving process is? The code signing identity is easy to check, but of course it's also pretty easy to forge. (So this would be a variant, I think, of a question I asked a few months ago, how to see if a process is "properly" signed [which, as I said then, means it's got a valid code signature, and that is anchored "properly," which is to say something that would pass gatekeeper]. Only easier, because I really just want to say "here is my SecCode, here is this other process', are they both comparable?)
Although I guess another thing would be to see if they're both in the same app group?
Post not yet marked as solved
I'm beating my head against Apple here and it hurts.
We made the request for Endpoint Security, and got it granted. However, it was only for development (and as we're looking to do non-app store distribution, I explicitly asked for one to go with our Developer ID Application certificate). At this point, I have used a TSI (thanks Quinn!) and possibly upset an internal contact by asking what I'm supposed to do, and gotten nowhere. At this point, I am sending an email message to the endpoint-review address every week, and I have gotten no responses at all.
Has anyone successfully gotten this? If so... how? (No, let me amend that: I know some have, since I've seen it in the wild. I just have no idea what I'm supposed to do!)
Consider:
sef% mdfind 'kMDItemDisplayName =[c] "Zoom.us"'
sef%
sef% mdfind 'kMDItemDisplayName =[c] "zoom.us"'
sef%
vs
sef% mdfind 'kMDItemDisplayName == "zoom.us"'
/Applications/zoom.us.app
(Using '==' vs '=' doesn't seem to make a difference.)
Post not yet marked as solved
I'm specifically thinking about a transparent proxy provider, since that's what we're using, so what happens if:
Process /Applications/Foo.app/Contents/MacOS/Foo opens a connection to, say, google port 443
After getting the connection set up, it then fork&execs /bin/sh (or whatever 😄).
Does a new flow get created? Or does it continue to use the existing one?
Post not yet marked as solved
The main question I have, honestly, is how do I do that? Or what do I do?
The goal, of course, is to allow IT to deploy our product to macs. Our product has a network system extension, and the ability to install without asking user permission is very attractive. But... I'm not sure how to get started!
My software-trained mind thinks that I should be able to write up my own provisioning file, but then I read the specifications and the part of my mind that keeps me from doing too many stupid things starts kicking the other part below the table.
Is there a good resource for this from a developer's perspective? A tool that can create sample files for me, or documentation that can tell me what files and information I need to provide to someone using, say, JAMF?
Post not yet marked as solved
I'm trying to get the URL used to launch an application. (Quinn helped me do the other part of this -- getting information about who sent the event -- in a TSI.)
In the will-finish-launching method in the app delegate, I do:
eventManager.setEventHandler(self, andSelector: #selector(handleGetURLEvent(_:withReplyEvent:)), forEventClass: AEEventClass(kInternetEventClass), andEventID: AEEventID(kAEGetURL))
And that does work: it launches the application if it's not running, and switches over to it if it is running. But... when I try to use keyDirectObject to get the URL it doesn't work -- I get nil as the result. But if I iterate through the event's items... I find the item.
#if false
let url = event.attributeDescriptor(forKeyword: keyDirectObject)
print(url)
#else
let count = event.numberOfItems
print("\(count) items")
for index in 1...count {
let keyword = event.keywordForDescriptor(at: index)
if keyword == keyDirectObject {
if let d = event.atIndex(index), let str = d.stringValue {
url = URL(string: str)
break
}
}
}
#endif
Later on (and this was due to Quinn), I have
guard let aeAuditToken = event.attributeDescriptor(forKeyword: keySenderAuditTokenAttr)
and that works, so I don't think I'm asking for the URL incorrectly.
Any ideas?
Post not yet marked as solved
The layout I'm looking at:
• A daemon which queries various things, and at times decides it's time to log in (or log back in)
• An application that handles the logging in, configuration, etc., which registers a custom url scheme
• A LaunchAgent which would get an XPC (or just mach message, I suppose) from the daemon, and sends an open-url request for the custom url scheme, eg x-kithrup:login?reason=ihateyou
All of that is pretty straightforward to me! But... on a mac, can I tell who sent the request? That is, can my application see that it was my LaunchAgent that made the open-url request? On iOS, it looks like I can, as the UIApplicationDelegate has a method that passes in a sourceApplication. But the NSAppleEventDescriptors confused me a lot.
Post not yet marked as solved
I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)
Post not yet marked as solved
We started discussing how we'll deal with captive portals, and I realized I don't know if CNA results in network change events. Does it? (I don't have a captive network here, and lockdown makes it hard to go find one, and making one would be ... quite a bit of work.)
We're using CMake here, so we can build on Windows, Linux, and macOS. So now I'm trying to convert from Xcode to CMake (which then generates an xcode project, whee).
The main problems I'm running into are figuring out which settings to do via CMakeLists.txt. That's mostly tiresome. But theres a new issue, and I don't know enough about CMake to figure it out: compiling my .swift file generates a ${PROJECT}-Swift.h file, which is used by the ObjC files. Which is great.
Except I don't know how to tell CMake about that. (And I haven't figured out what variable describes where Xcode puts it, but that's more of a tiresome issue than head-against-desk issue...)
Has anyone run into and hopefully figured this out?
Post not yet marked as solved
This may be dumb: on an Apple Silicon system, with a system extension that is examining / interfering with some process, one or both of them may be run under Rosetta. So if a helper tool (app, daemon, whatever) tries to get the kSecCodeInfoUnique for an application of a given name... will that be the same one seen by the extension? Or will it depend on whether any part of the triad is running under Rosetta?
Post not yet marked as solved
A successful installation/activation can either be "yay it's done now!" or "wellllllll you need to reboot first but otherwise it's done yay!"
So what determines which of those two happens?
Post not yet marked as solved
I had assumed the answer was "copy or create a plist in /Library/LaunchDaemons," but after poking around here and google a bit, I'm more confused. (Which seems to be a normal thing for me, so I'll hold off deciding I'm stupid for a while.)
The options that I seem to see are:
Copy/create a plist in /Library/LaunchDaemons
Have Foo.app/Contents/Library/LaunchAgents, which will, I presume, run something as long as the app is running?
Use SMJobBless to install the daemon. This is the preferred way, and requires an embedded launchd plist, which I presume is what will be installedinto /Library/LaunchDaemons? And "embedded" means "pushed into the binary because MachO is infinitely versatile so we can do this if we want to"? This requires user interaction to get an authorization?
And... if the app is distributed via MDM, then that can install the launchd plist file without the app needing to run, just like it can install a system extension without the app needing to run?
The NSWorkspace method that does this, fullPathForApplication, is deprecated. So what's the alternative? I do note that oascript can do it by id of app "App Name", so unless that's going away too, there must be some way of doing it, no?
I create a protocol that had, among other things:
@objc func setList(_: [MyType], withReply: @escaping (Error?) -> Void)
The daemon part is in Swift, while the calling part is in Objective-C. Because why not? (Actually, because the calling part has to deal with C++ code, so that's ObjC++; however, I wanted the stronger typing and runtime checking for the daemon part, so I wrote it in Swift.) The ObjC part uses NSArray<MyType*>.
I set up an NSXPCConnection link, and create a (synchronous) proxy with the right protocol name. But when I try to do the XPC setList call, I get an error. I assume that's because it doesn't like the signature. (Surely this is logged somewhere? I couldn't find it, if so. 😩) But... if I have a signature of @objc func addItem(_: MyType, withReply: @escaping (Error?) -> Void), then it works. So I assume it's the array. (Oh, I've also tried it without the @objc; the protocol itself is defined as @objc.)
I've tried changing to protocol signature to using NSArray, but same thing.
kithrup.