MacOS Version: 14.7.2 macOS SDKs: macOS 14.5 -sdk macosx14.5
I am working on a sample program for validation Against:
- Team Identifier
- Developer ID
I started with validating Team Identifier, but my validation is not working and it is allowing to launch programs which are not matching the team identifier in the signature.
Below is my code:
func verifyExecutableWithLCR(executablePath: String, arguments: [String]) -> Bool {
let task = Process()
task.launchPath = executablePath
task.arguments = arguments
if #available(macOS 14.4, *) {
print("launchRequirementData is available on this system.")
do {
let req = try OnDiskCodeRequirement.allOf {
TeamIdentifier("ABCDEFGHI")
//SigningIdentifier("com.***.client.***-Client.****")
}
let encoder = PropertyListEncoder()
encoder.outputFormat = .xml
let requirementData = try encoder.encode(req)
task.launchRequirementData = requirementData
print("launchRequirementData is set.")
try task.run()
print("[SUCCESS] Executable passed the code signature verification.")
return true
} catch {
print("[ERROR] Code signature verification failed: \(error.localizedDescription)")
return false
}
} else {
print("[WARNING] launchRequirement is not available on this macOS version.")
return false
}
}
Could you please help me in identifying whay am I doing wrong here?
Hmmm, this is working for me. I’ve included the source for my test tool at the end of this post. If I comment out the line that sets launchRequirementData
, I see this:
will start
did start
did finish, status: 0
If I leave it in place I see this:
will start
did start
did finish, status: 9
That 9 is SIGKILL
, and the crash report shows that the trusted execution system killed the process before it executed any instructions.
I’m testing with Xcode 16.2 on macOS 15.2. I don’t have time to test with macOS 14 today. However, I figured you could run my code and see what you get.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
import Foundation
import LightweightCodeRequirements
func signedByMyTeamRequirement() throws -> Data {
let req = try OnDiskCodeRequirement.allOf {
TeamIdentifier("SKMME9E2Y8")
}
let encoder = PropertyListEncoder()
encoder.outputFormat = .xml
return try encoder.encode(req)
}
func main() {
do {
print("will start")
let p = Process()
p.executableURL = URL(fileURLWithPath: "/usr/bin/true")
p.launchRequirementData = try signedByMyTeamRequirement()
try p.run()
print("did start")
p.waitUntilExit()
print("did finish, status: \(p.terminationStatus)")
} catch {
print("did not start, error: \(error)")
}
}
main()