To validate incoming XPC connections from other executables, we perform SecCode checks for the dynamic signature of the connection (kSecCSDynamicInformation).
Reading the setCodeSigningRequirement(_:) function documentation it appears to perform only static signing checks, is that so?
If we use setCodeSigningRequirement(:) function in our listener(:, shouldAcceptNewConnection:) do we still need to check the dynamic information to be properly secure?
So what threat are you trying to protect against here?
Most folks who ask about setCodeSigningRequirement(_:) are trying to ensure that their daemon is only accessed by their client. If that’s your goal then this question isn’t really relevant. If the client process’s code signature becomes invalid before it connects, this check will reject the connection. And if not, you know you’re working with the expected client and thus you can assume it won’t do something to invalidate its signature.
On the client side, you want to make sure your client enables the hardened runtime and doesn’t include any entitlements to disable the security features that the hardened runtime enables by default.
Oh, and for extra assurance you can sign you code with the kill flag. See the codesign man page for more on that.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Hi Quinn,
We are indeed trying to ensure our daemon is only accessed by our client. We do have hardened runtime and kill via -o runtime in our codesign use.
We have some old code that checks our signing requirement though (pre-macOS 13) but it seems we can replace that old code with setCodeSigningRequirement(_:) instead. I wasn't clear from the documentation on setCodeSigningRequirement whether that was the case.
Thanks, Dave
