There does not seem to be a way to code sign a PAM module so that an XPC service can verify the signature with setCodeSigningRequirement. There should be a way to build a PAM module (dynamic Library ) so it can be code signed. Put in a bundle and code signing the bundle does not work .
There should be a way to build a PAM module (dynamic Library ) so it can be code signed.
It’s certainly possible to sign a PAM module:
% cp /usr/lib/pam/pam_deny.so.2 .
% codesign -s - -f pam_deny.so.2
pam_deny.so.2: replacing existing signature
However, that won’t help when it comes to -setCodeSigningRequirement:. macOS enforces security as process boundaries. PAM modules are in-process plug-ins, so they can’t be distinguished from any other code running in that process. Thus, from the perspective of the XPC remote peer, you can’t tell whether the request came from the PAM module running inside the process or any other code running inside that process.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"