Hi, I'm using NSURSessionDataTask in order to send REST command to remote server. the server doesn't request client-side verification in TLS, but the client does request server authentication as implemented in the following code if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { NSURLCredential* credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); However, even though I set the server certificate as "Trusted" I get the following failure : 2023-01-13 00:45:51.139349+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) System Trust Evaluation yielded stat us(-9802) 2023-01-13 00:45:51.139390+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) ATS failed system trust 2023-01-13 00:45:51.139413+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) Connection 132: system TLS Trust eva luation failed(-9802) 2023-01-13 00:45:51.139432+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) Connection 132: TLS Trust result -98 02 2023-01-13 00:45:51.139450+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) Connection 132: TLS Trust encountere d error 3:-9802 2023-01-13 00:45:51.139467+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) Connection 132: encountered error(3: -9802) 2023-01-13 00:45:51.139488+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) Connection 132: cleaning up 2023-01-13 00:45:51.139508+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) [com.apple.CFNetwork:Summary] Connec tion 132: summary for unused connection {protocol=“(null)“, domain_lookup_duration_ms=0, connect_duration_ms=0, secure_connection_duration_ms=0 , private_relay=false, idle_duration_ms=0} I also tried to connect the same URL from various browsers, and it passed those security checks... How can I figure out what is the problem here? I made sure that the server certificate is set to trusted on system keychain, and my process is running in elevated user mode. I know how to disable this check, but I prefer to understand exactly what It means and fix the certificate chain if needed. thanks

Hi, I've built an installation package (file with .pkg suffix). when I double click the pkg file whereas newer version of the package is already installed, then the installer skip the downgrade process due to the following reason. 2023-02-22 20:19:11+02 my-Mac installd[744]: PackageKit: Skipping component “com.myapp.mycompany” (22.9.0-2209.0.0-*) because the version 23.2.3559-2302.3559.11638-* is already installed at /Applications/myapp.app. However, I still see that the preinstall and postinstall script being executed. Perhaps there's a way to either enable the downgrade, or disable it completely, so I won't get this partial install scenario. Is there a way I can get indication that the installer has skipped the file copying of the target pkg, from within the post/pre install scripts (so I can handle it properly) ?

I'm signing using "Developer ID Application" and it suddenly started failing due to the following reason A timestamp was expected but was not found.. from the logs it looks like a failure to connect Apple's dedicated server. Perhaps there's a way to verify this theory, or get another timestamp server to be set in --timestamp option? thanks 2023-04-24 15:53:38.977560+0300 0x2e29ef5 Error 0x0 696 0 XPCTimeStampingService: (CFNetwork) NSURLConnection finished with error - code -1001 2023-04-24 15:53:38.977753+0300 0x2e29ef5 Default 0x0 696 0 XPCTimeStampingService: (CFNetwork) [com.apple.CFNetwork:Summary] Task <42F5893A-941A-4293-BB14-F75C42363836>.<0> summary for task failure {transaction_duration_ms=15792, response_status=-1, connection=817, reused=1, request_start_ms=0, request_duration_ms=0, response_start_ms=0, response_duration_ms=0, request_bytes=0, response_bytes=0, cache_hit=false}

Hi, I'd like to be able to run my daemon process only in pre-logon mode that can be reach by either reboot the machine prior to provide user credentials, or by log out from current user. So far I couldn't find any useful configuration in the plist file under /Library/LaunchDaemon. Perhaps there's a way to get notification programmatically for when the system enter/exit pre-login mode ? Thanks

Hi, i'm working on an endpoint security extension loader and implement several callbacks from delegate object OSSystemExtensionRequestDelegate the callback i'm interested in is : public func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result); public func requestNeedsUserApproval(_ request: OSSystemExtensionRequest); I've noticed that if I manually approve the extension long time after it was activated, the extension process goes up, but the callback isn't being called. The requestNeedUserApproval callback always gets called. I see in the unified logs that when the extension goes from activated_waiting_for_user -> activated_enabling -> activated_enabled Than the request callback doesn't get called. But whenever the extension goes activated_waiting_for_user -> activated_disabled The request callback gets called. (this is counter intuitive since we expected the state activated_disabled may hint that the extension failed to be activated somehow) Any Idea why my callback doesn't gets called if the extension gets approved long after it was activated ?

I'm using NETransparentProxyProvider to intercept udp sockets using the method handleNewUDPFlow. An application may create a UDP socket and set the DONTFRAG using setsockopt method setsockopt(s, IPPROTO_IP, IP_DONTFRAG, &val, sizeof(val)) In this case, do I have option in this case, to get the connection settings inside the callback (void)handleNewUDPFlow:(NEAppProxyUDPFlow *)flow initialRemoteEndpoint:(NWEndpoint *)remoteEndpoint; So in this case, I would be able to create the outgoing socket with the exact same characteristics, after the original app socket got intercepted by my proxy provider ?

Following previous question here :https://developer.apple.com/forums/thread/801397, I've decided to move my VPN implementation using NEPacketTunnelProvider on a dedicated networkExtension. My extension receives packets using readPacketsWithCompletionHandler and forwards them immediately to a daemon through a shared memory ring buffer with Mach port signaling. The daemon then encapsulates the packets with our VPN protocol and sends them over a UDP socket. I'm seeing significant throughput degradation, much higher than the tunnel overhead itself. On our side, the IPC path supports parallel handling, but I'm not not sure whether the provider has any internal limitation that prevents packets from being processed in parallel. The tunnel protocol requires packet ordering, but preparation can be done in parallel if the provider allows it. Is there any inherent constraint in NEPacketTunnelProvider that prevents concurrent packet handling, or any recommended approach to improve throughput in this model? For comparison, when I create a utun interface manually with ifconfig and route traffic through it, I observe performance that is about four times faster.

Hi, I'd like to establish connection between my application and a remote server. Ideally it would be using webSocket since the communication is bi-directional and asynchronous. However, In case the webSocket isn't established properly or failing sometime after it was created (due to firewall, proxy servers, network switching or any other reason), than I'd like to switch to using periodical simple HTTPS POST requests (keep alive messages) where the server-to-client data transferred on the responses. The server should also support both communication methods. The following code should reflect my approach. Please advise if this could work or perhaps there are built-in solutions in the framework. NSURL * reqUrl = [NSURL URLWithString:@"wss://mydomain.com"]; NSURLSession* session = [NSURLSession sessionWithConfiguration: [NSURLSessionConfiguration defaultSessionConfiguration]]; NSMutableURLRequest *req = [NSMutableURLRequest requestWithURL:reqUrl]; webSocketTaskWithURL * socketConnection = [URLSession webSocketTaskWithURL:url]; socketConnection.resume() [socketConnection sendMessage:message completionHandler: ^(NSError * e) { if (e != nil) { // fallback to https [req setHTTPBody:[message dataUsingEncoding:NSUTF8StringEncoding]] NSURLSessionDataTask *data_task_http = [session dataTaskWithRequest:req]; completionHandler: ^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) { /*blabla*/}]; [data_task resume]; }

I've got the following code that I use to communicate with a remote server. However, when the response contain a large enough file, the callback block never called, the only thing that trigger the callback, is when I explicitly invoke the cancel method after some timeout from the NSURLSession task (_dataTask). notice that using tcpdump I did observe that the response was properly received on the client side. NSURLSessionConfiguration* config = [NSURLSessionConfiguration defaultSessionConfiguration]; NSOperationQueue *queue = [[NSOperationQueue alloc] init]; queue.maxConcurrentOperationCount = 1; NSURLSession* session = [NSURLSession sessionWithConfiguration:config delegate:nil delegateQueue:queue]; _dataTask = [session dataTaskWithRequest:req completionHandler:^(NSData * _Nullable data, NSURLResponse * _Nullable response, NSError * _Nullable error) { if ([error code] == NSURLErrorCancelled) { writeLog(LOG_ERROR, "NSURLErrorCancelled"); } else { <my completion callback> } }]; [_dataTask resume] I'd like to know if using dataTask has response size limit (because it's working for small files on response body) and if there is such a limit, so which other method should I use in order to overcome it. I saw that there's an alternative method in NSUrlsession dedicated for downloading files called downloadTaskWithRequest but it doesn't have an async completion block.

Hi, I've set the C++ language dialect in my project to c++2a. Than it failed on compiling .mm file which has the following line @import AppKit; But if replace it with the following line and link with framework from project build phases, than it works. #import <AppKit/AppKit.h> My .mm file is including for adapter swift header file (*-Swift.h) which is auto generated and has this @import directive. is it a known issue, should I file a bug ?

I'd like to add a short script that runs clang-format upon trying to save a file in Xcode project. the script will do the following command : #!/bin/zsh /usr/local/bin/clang-format -i <saved_file> Does Xcode support this feature (in visual studio it's called format-on-save :  https://code.visualstudio.com/updates/v1_6#_format-on-save

Hi, I was wondering if there's any option to run xcodebuild to compile the project and skip the code signing phase, even though, a signing account is set in the project under signing and capabilities. The motivation for that, is that on some occasions, my project get built using GitLab CI/CD pipeline, which have machine pool that doesn't have Xcode with account. So I'd like to build only and check that nothing got broken. thanks

Hi, I've made a pkg installation file that usually works. However, for some setups I gets the following failure after postinstall finish (return 0) 2023-01-12 10:52:00-08 ESXBigSurVM-5 package_script_service[815]: Responsibility set back to self. 2023-01-12 10:52:00-08 ESXBigSurVM-5 installd[781]: PackageKit: Writing receipt for com.myprod.mycomp to / 2023-01-12 10:52:00-08 ESXBigSurVM-5 install_monitor[814]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: releasing backupd 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: allow user idle system sleep 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: Cleared responsibility for install from 773. 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: Cleared permissions on Installer.app 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: Install Failed: Error Domain=NSCocoaErrorDomain Code=513 "You don't have permission to save the file "com.myprod.mycomp.bom" in the folder "receipts"." UserInfo={NSFilePath=/var/db/receipts/com.myprod.mycomp.bom, NSUnderlyingError=0x7f92fe515760 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}} { NSFilePath = "/var/db/receipts/com.myprod.mycomp.bom"; NSUnderlyingError = "Error Domain=NSPOSIXErrorDomain Code=1 \"Operation not permitted\""; } 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: Running idle tasks I've used the installer command with sudo, but i'm still getting the permissions issue ... sudo /usr/sbin/installer -pkg /path/to/my/file.pkg -target / Any idea why this is happening only in some setups (usually VMs running BigSur) ? and how could i prevent it ?

I'm looking for API to add a new kerberos credentials to macOS internal ticket store. Basically, I'd like to replace the whole authentication process with a proprietary component and not rely on the OS kerberos implementation, and get the following items: Client-to-server ticket encrypted using the resource's secret key. A new Authenticator encrypted using Client/Server Session Key I'd like to set these 2 items where the OS keeps these items to be used when communicating with the resource itself. Also, I'd like to keep another kerberos item retrieved after the first communication with the resource and it's used for SSO to allow additional request to the resource for a certain period of time. this item is the timestamp found in client's Authenticator encrypted using the Client/Server Session Key Is there an API I can use to inject those items to where the OS keeps the kerberos Items so it can use them when it access the resource itself.

Hi, I am using xcode build that receive it's configuration using xcconfig files, those add some new definitions to the project, like the location of openssl library. If xcode environment variable include prefix that matches one of the fields in the project settings, it is automatically referred to as if you added it to that field. for example : the var HEADER_SEARCH_PATHS_openssl_libopenssl has value (openssl headers' path) that should be automatically added to the field Headers Search Paths under project settings. For some reason it stopped working for me and i'm not sure why (i've tried to release the xcconfig files). any idea why ? Thanks !