Validating Signature Of XPC Process

Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID.

While looking for something completely unrelated, I found this in the SecCode.h file

OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags,
	SecCodeRef * __nonnull CF_RETURNS_RETAINED target);

Would this be the preferred way to do this now? At least from 11.0 and up.

Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it.

Thanks

Up vote post of mdolan Down vote post of mdolan
5k views
Posted by
mdolan
Reply
Add a Comment

Apple Recommended

I’m posting this summary so that I can mark it as Apple Recommended and (finally!) put this issue to bed. So:

  • If you’re using NSXPCConnection, use -setCodeSigningRequirement: method to solve this problem. This was introduced with macOS 13.

  • If you’re using the XPC C API, use the xpc_connection_set_peer_code_signing_requirement API to solve this problem. This was introduced with macOS 12.

    Both of these APIs take a code signing requirement. For more information on that topic, see TN3127 Inside Code Signing: Requirements.

  • Alternatively, use the xpc_connection_set_peer_lightweight_code_requirement API added in macOS 14.4. You can read its documentation here, but I also recommend that you read the doc comments in <xpc/connection.h>.

  • If you’re using the XPC C API on macOS 11, use SecCodeCreateWithXPCMessage for this. There’s currently no documentation but there are good doc comments in <Security/SecCode.h>.

  • If none of the above apply, there isn’t a great solution. Various options have been discussed here, including on the older thread referenced above, but there’s nothing I’m fully confident in.

ps If you have follow-up questions about this stuff, please don’t put them in the comments. As I mentioned in Quinn’s Top Ten DevForums Tips, I’m not notified of those. Rather, reply here or, better yet, start a new thread with all the details. Make sure to tag your new thread with XPC so that I see it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Revision History

  • 2024-03-13 Added an entry for xpc_connection_set_peer_lightweight_code_requirement. As a postscript about follow-up questions. Made other minor editorial changes.

  • 2022-07-09 First posted.

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Post marked as Apple Recommended

  • Hi, I am using NSXPCConnection with setCodeSigningRequirement.

    My requirement = "anchor apple generic and IssuerIsDeveloperID and LeafIsDeveloperIDApp". (I want to add here team id)

    My app and daemon are signed with the same developer id cert and same team id.

    Now my App can not connect to my Daemon. The connection gets invalidated on my daemon side, when setting the above requirement.

    What am I missing here?

    Thanks, Sivan

    sivan-sdo
Add a Comment

Replies

So everyone uses the PID.

I thought everyone just using the non-public stuff (-;

Would this be the preferred way to do this now?

Absolutely.

The main drawback here is that this is tied to the XPC C API, and thus isn’t available to folks using NSXPCConnection (r. 27605275).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • What? Use non-public stuff? Never!

    Since the code I have is C, that is absolutely not a problem.

    Thanks for the quick response.

    mdolan

  • So.... if that call isn't available to us mere NSXPCConnection users, what could we do instead? I'm verifyng caller at the

    - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection;

    level, identifying the caller by PID, but every once in a while

            NSDictionary *attributes = @{(__bridge NSString *)kSecGuestAttributePid : @(clientPID) };         OSStatus status = SecCodeCopyGuestWithAttributes(NULL, (__bridge CFDictionaryRef)attributes, kSecCSDefaultFlags, &dynamicCode);

    crashes my XPC Service, with nice stack somewhere deep in SecCodeCopyGuestWithAttributes:

    ` 0 libsystem_kernel.dylib 0x183dcd9b8 __pthread_kill + 8

    1 libsystem_pthread.dylib 0x183e0115c pthread_kill + 288 2 libsystem_c.dylib 0x183d3e314 abort + 164 3 libsystem_malloc.dylib 0x183c23a1c malloc_vreport + 552 4 libsystem_malloc.dylib 0x183c38c8c malloc_zone_error + 104 5 libsystem_malloc.dylib 0x183c15db0 nanov2_allocate_from_block + 568 6 libsystem_malloc.dylib 0x183c153a4 nanov2_allocate + 128 7 libsystem_malloc.dylib 0x183c152c0 nanov2_malloc + 64 8 libsystem_malloc.dylib 0x183c32770 _malloc_zone_malloc + 156 9 CoreFoundation 0x183e5ab0c resolveAbsoluteURLStringBuffer + 1012

    10 CoreFoundation 0x183e5a678 resolveAbsoluteURLString + 188

    11 CoreFoundation 0x183e58744 CFURLCopyAbsoluteURL + 568

    12 CoreFoundation 0x183f6f750 _CFURLCreateWithFileSystemPath + 2236

    13 CoreFoundation 0x183eb874c _CFBundleCopyExecutableURLRaw + 320

    14 CoreFoundation 0x183eb84e0 _CFBundleCopyExecutableURLInDirectory2 + 452 15 CoreFoundation 0x183f37ff0 _CFBundleCreateWithExecutableURLIfLooksLikeBundle + 128 16 CoreFoundation 0x183f37f24 _CFBundleCreateWithExecutableURLIfMightBeBundle + 20 17 Security 0x1860d3d18 Security::CodeSigning::KernelCode::identifyGuest(Security::CodeSigning::SecCode*, __CFData const**) + 544 18 Security 0x1860ab040 Security::CodeSigning::SecCode::identify() + 96 19 Security 0x1860ab8c0 Security::CodeSigning::SecCode::autoLocateGuest(__CFDictionary const*, unsigned int) + 188 20 Security 0x1860b2318 SecCodeCopyGuestWithAttributes + 144 21 xpcj 0x11706c3b0 -[OITContentScanningXPCService listener:shouldAcceptNewConnection:] + 556 (OITContentScanningXPCService.m:209) 22 Foundation 0x184e274c8 `

    So... how to go about this, and is it better to use the kSecGuestAttributeAudit instead of the kSecGuestAttributePid when calling SecCodeCopyGuestWithAttributes ?

    suMac

  • I can't read this; please put it in a reply. Or just start a new thread and reference this one.

    eskimo
Add a Comment

I’m very please to announce that macOS 12 beta includes a new API that represents a great solution to this problem: Check out xpc_connection_set_peer_code_signing_requirement, and its associated doc comments, in <xpc/connection.h>.

Still no news on the NSXPCConnection side of this (r. 27605275)-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo

  • This looks great!! 🎉 FWIW, I filed FB9209390 asking for an NSXPCConnection equivalent.

    Ryder

  • Ta!

    eskimo
Add a Comment

I’m posting this link to a much older thread discussing this issue, just for context.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I needed a secure XPC Mach Services connection and didn't want to be directly using the XPC C API throughout my codebase, so I created the SecureXPC framework for Swift. It uses the aforementioned SecCodeCreateWithXPCMessage API on macOS 11 and later, and falls back to as eskimo says the "non-public stuff" on older versions. Sharing this in the hopes it's helpful to people here. Feedback most welcome over on the Github page either as issues or discussions!

Posted by
jkaplan
Post not yet marked as solved Up vote reply of jkaplan Down vote reply of jkaplan

  • Thanks for sharing!

    eskimo
Add a Comment

I've just started using xpc_connection_set_peer_code_signing_requirement() and can happily report that it meets all of my needs in terms of validating who my XPC connection is really connected to. However there seems to have been a slight oversight in that the new error XPC_ERROR_PEER_CODE_SIGNING_REQUIREMENT has either not been made public, or is not available to Swift code for some reason. For example:

if event === XPC_ERROR_CONNECTION_INVALID { // OK
} else if event === XPC_ERROR_TERMINATION_IMMINENT { // OK
} else if event === XPC_ERROR_CONNECTION_INTERRUPTED { // OK 
} else if event === XPC_ERROR_PEER_CODE_SIGNING_REQUIREMENT { // Error: Cannot find in scope
}
Posted by
fractal
Up vote reply of fractal Down vote reply of fractal
Add a Comment

has either not been made public

It’s definitely public, declared in <xpc/connection.h> in the macOS 12.0 SDK.

or is not available to Swift code for some reason

Indeed.

XPC_ERROR_PEER_CODE_SIGNING_REQUIREMENT is actually a macro and it seems likely that this macro is structured in a way that prevents the Swift importer from seeing it. Please file a bug about that, then post your bug number, just for the record.

Working around this is relatively straightforward: Define a C function that returns XPC_ERROR_PEER_CODE_SIGNING_REQUIREMENT and call that from your Swift code.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Earlier I wrote:

Still no news on the NSXPCConnection side of this (r. 27605275)-:

I’m very pleased to say that macOS 13 beta has a shiny new -[NSXPCConnection setCodeSigningRequirement:] method. It even comes with documentation! Please take it for a spin and let us know if you hit any problems.

For an in-depth discussion of code signing requirements, see TN3127 Inside Code Signing: Requirements.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I’m posting this summary so that I can mark it as Apple Recommended and (finally!) put this issue to bed. So:

  • If you’re using NSXPCConnection, use -setCodeSigningRequirement: method to solve this problem. This was introduced with macOS 13.

  • If you’re using the XPC C API, use the xpc_connection_set_peer_code_signing_requirement API to solve this problem. This was introduced with macOS 12.

    Both of these APIs take a code signing requirement. For more information on that topic, see TN3127 Inside Code Signing: Requirements.

  • Alternatively, use the xpc_connection_set_peer_lightweight_code_requirement API added in macOS 14.4. You can read its documentation here, but I also recommend that you read the doc comments in <xpc/connection.h>.

  • If you’re using the XPC C API on macOS 11, use SecCodeCreateWithXPCMessage for this. There’s currently no documentation but there are good doc comments in <Security/SecCode.h>.

  • If none of the above apply, there isn’t a great solution. Various options have been discussed here, including on the older thread referenced above, but there’s nothing I’m fully confident in.

ps If you have follow-up questions about this stuff, please don’t put them in the comments. As I mentioned in Quinn’s Top Ten DevForums Tips, I’m not notified of those. Rather, reply here or, better yet, start a new thread with all the details. Make sure to tag your new thread with XPC so that I see it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Revision History

  • 2024-03-13 Added an entry for xpc_connection_set_peer_lightweight_code_requirement. As a postscript about follow-up questions. Made other minor editorial changes.

  • 2022-07-09 First posted.

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Post marked as Apple Recommended

  • Hi, I am using NSXPCConnection with setCodeSigningRequirement.

    My requirement = "anchor apple generic and IssuerIsDeveloperID and LeafIsDeveloperIDApp". (I want to add here team id)

    My app and daemon are signed with the same developer id cert and same team id.

    Now my App can not connect to my Daemon. The connection gets invalidated on my daemon side, when setting the above requirement.

    What am I missing here?

    Thanks, Sivan

    sivan-sdo
Add a Comment