User Profile

Hi all, I'm experiencing strange behavior with an authorization plugin we inserted into the authorizationdb. The plugin is working great when we log out and login regularly from the MacOS. The strange behavior starts when we log in directly from the FileVault login (and auto-login is enabled). If the user is canceling our plugin (our plugin shows a UI view as part of the login after he inserts user+password) and the user is back to the password insertion screen he can insert any password he wants, and the system will save this password as a new password for this user (replacing the old password) and then triggers our plugin again, instead of the regular flow of inserting the password and continuing to our plugin. I've never seen this behavior where the user is inserting a password as part of the login, and it will just save any password he inserts as the new password (a security vulnerability?). This is our mechanism chain: <string>builtin:policy-banner</string> <string>loginwindow:login</string> <string>builtin:login-begin</string> <string>builtin:reset-password,privileged</string> <string>loginwindow:FDESupport,privileged</string> <string>builtin:forward-login,privileged</string> <string>builtin:auto-login,privileged</string> <string>builtin:authenticate,privileged</string> <string>PKINITMechanism:auth,privileged</string> <string>builtin:login-success</string> <string>loginwindow:success</string> <string>HomeDirMechanism:login,privileged</string> <string>HomeDirMechanism:status</string> <string>MCXMechanism:login</string> <string>CryptoTokenKit:login</string> <string>our-auth:prepare,privileged</string> <string>our-auth:main</string> <string>our-auth:cleanup,privileged</string> <string>loginwindow:done</string> So, a summary of the flow: User powers the mac and inserts FileVault password. After the decryption process is done, our plugin triggers. The user cancels our plugin in the view, hence the view is removed, and the user is back to the password insertion screen. User can insert ANY password he wants (it will not mention to him that he is changing or changed the password). Our plugin triggers again as part of the chain. User approves our plugin and is logged in. Trying to use the old password does not work. Only the new password is working starting that moment. I must say that it only happens if the user is canceling our plugin on the first try. If he does not cancel the plugin, it will continue with the current password. Can someone help me understand why is it happening?

Hello, Lately, I saw an article from Apple talking about the "Using the Latest Code Signature Format". This is the article. - https://developer.apple.com/documentation/xcode/using_the_latest_code_signature_format I'm trying to figure out the meaning of this. We have an app in the store published in 2014 and hasn't been touched since then. The article states that starting 14.2 the system checks for a new signature and in the near future it will reject apps without that signature ("In a future release, the new format will become mandatory, and the system won’t launch apps with the old signature format"). We tested the app on 14.2/3/4 and didn't get this warning message although it's stated in the article. We cannot upload a new app as it will take a tremendous amount of time to rewrite it, and if broken we will have a serious production issue as lots of customers are still using it. Can anyone shed some light on this? Thanks in advance!

I have a jenkins machine where I need to use xcodebuild in CLI. Can I install xcode dev tools instead of the full Xcode version in order to save space on the machine? Will it be enough for building a version? Does the dev tools even contain the build options?

Hi all,We are trying to use ANKA and jenkins in order to do CI for our iOS apps.Main problem is with the code signature. When we install a new certificate we always need to go into the machine at least once and push the "Allow always" button in the popup or else our build is stuck.Without ANKA this is what we did until the next time we update the certificates. The problem is when we start to use ANKA where each time it will install everything (like a docker) and them even pushing "Allow always" will not help when we run the jobs next time.Is there a solution for this scnario?Thanks,Noam