Register Token Extension with SecurityAgent

https://developer.apple.com/documentation/cryptotokenkit/authenticating_users_with_a_cryptographic_token states that a token extension needs to be registered by executing its hosting app as the _securityagent user. This unfortunately does not work for me: Launching my hosting app as described in the documentation does not register the token extension. Also I get the following output from the hosting app when executed as _securityagent:


"*Forcing* IMK Distributed Objects (not XPC) in App = myHostingApp, euid=92"


Launching my hosting app as the current, "normal" user causes the token extension to be registered just fine and except smart card logon every functionality you would expect from a token (pairing with user, unlocking system keychain etc) is available and functional.


Did somebody else encounter this issue as well?

Accepted Answer

To provide closure to this: It is possible to register the CryptoTokenKit driver as _securityagent by running "pluginkit -a" in the appropriate context using launchctl. However I have observed that after some years the method described in the documentation suddenly started to work as well, so using launchctl probably isn't necessary anymore.

Answers

I did encounter an eror when executing the host app with sudo -u _securityagent command. It came up with Permission denied.

In some cases i got it working but after restarting the machine, the system does not allow me to logon using smartcard.

Did you get any solution for this issue? I am also facing this issue.

To provide closure to this: It is possible to register the CryptoTokenKit driver as _securityagent by running "pluginkit -a" in the appropriate context using launchctl. However I have observed that after some years the method described in the documentation suddenly started to work as well, so using launchctl probably isn't necessary anymore.