Restrict XPC calls to a launch daemon

Hi,

Is there a way to restrict calls to a launch daemon? Can I allow only my app to use my daemon?

cheers, sivan

Yes. See Validating Signature Of XPC Process.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for your answer. I have posted a question regarding setCodeSigningRequirement, in the post that you have mentioned above.

Hi, I am using NSXPCConnection with setCodeSigningRequirement.

I tried different requirements. Simplest = "anchor apple generic". This one works. Requirement1 = "anchor apple generic and IssuerIsDeveloperID and LeafIsDeveloperIDApp". In this case my app can not connect with my daemon. Requirement2 = "anchor apple generic and certificate leaf[subject.OU] = <My Team Id>". In this case too, my app can not connect with my daemon.

My app and daemon are signed with the same developer id cert and same team id. What am I missing here?

Thanks, Sivan

I put a bunch of info, and links to other documents, in TN3127 Inside Code Signing: Requirements. I suggest you start there.

You can test test requirements using codesign. For example:

% codesign -v -v -R "=anchor apple" /System/Applications/TextEdit.app
…/TextEdit.app: valid on disk
…/TextEdit.app: satisfies its Designated Requirement
…/TextEdit.app: explicit requirement satisfied
% codesign -v -v -R "=anchor apple" "/Applications/Pacifist.app"     
…/Pacifist.app: valid on disk
…/Pacifist.app: satisfies its Designated Requirement
test-requirement: code failed to satisfy specified code requirement(s)

You can also compile them using csreq, which is a great way check just the syntax.

Hopefully the above will speed up your efforts to craft the correct requirement.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

thanks!

Restrict XPC calls to a launch daemon
 
 
Q