I'm using boost-beast with openssl as an underlying socket. is it possible that launchAgent get less bandwidth when other foreground processes compete on the same resources ?

Just a follow up question since you mentioned the concept DRM. So I've read the technical document about Apple version of DRM called "Apple FairPlay" and It looks like it's not good for application verification. I wonder if there's any built-in signing certificate in the keychain that is non-exportable (and is kept in the secure-enclave) and I can use it with my app to proof that the device i'm running my program from, is an expected device. This way, I can at least verify that the app is not installed in unauthorized machine...

Hi Quinn and thanks for the answer, it indeed seems like the right solution for me, except for the fact that any privileged user can directly access the keychain item (see attached) Perhaps there's a way to prevent this ? Do I need the file-based keychain in this case, and create a dedicated keychain for this item with unique password that only the process will posses ? Or perhaps I can achieve my goal my simply using a different item (not password) that limit content viewing from outside the keychain API ? Thanks

My process can be either a bundled application (under /Application), or a sub-bundle application that can run as launchAgent (in user context) I've programmed those applications, so I can tell they haver main.m source file. Also, is all of this code running in the same GUI login context? Yes, all my applications are running in the same user context (launchAgent or standalone application) I wonder if use the application's keychain group to be able to exclusively access specific private items in keychain. I've noticed that when I create a keychain's item (using secItemAdd command), it can be accessed/deleted from keychain app UI and I want to prevent that and allow only the app with a specific group ID an exclusive access to this item.

Hi, I'm referring to macOS platform.

Hi Meaton, Perhaps you can guide me how to distinguish DNS packets/responses and other traffic (TCP/UDP) from NETransparentProxyProvider. I know how to use handleNewFlow and handleNewUDPFlow to catch all tcp/udp traffic, I guess that in order to extract the DNS packets I need to add the completion of handleNewUDPFlow a check if the dest port is 53, right? Also, how can I get the process name initiating the connection in NETransparentProxyProvider ? I want to get callbacks for certain apps only. do I need to check all connections or can I configure the transparent provider to forward the connections in app resolution ? If so, How can I configure it in saveToPreference from the manager side ? thanks

I'm basically trying to start a vpn that changes the default DNS in my machine and replace it with my organization's local dns server. I'd like to restore the dns when the vpn is off, So I was wondering where should I set it. Is there any way I can read about macOS DNS architecture ?

Hi Eskimo, Unfortunately, when i follow your guidance to export the certificate I get the following message : Does it means that the key is completely non-exportable ?

Hi Eskimo, So regarding the installation process of the certificate + privatekey in the login keychain, Sadly I don't have any control on this flow and I have to deal with non exportable private key in login keychain, and my goal is to be able to use it as part of client-side authentication in TLS. After reading the links you showed me I think I have some workaround to the problem... Once I reach didReceiveChallenge call in the Daemon side, I will first execute the service's mach-o file but in user-mode process, in such a way that it will send dummy https request to the server. This will trigger the didReceiveChallenge once again but from the user-mode process, and now I can extract the identity easily and pass it to completion handler. This will likely present popup window that I should confirm using the private key for signing (see attached image) Once the user press "always allow" then the request will be sent and we go back to the original Daemon now that this key is accessible for signing in this machine. Now I don't need access to the window server to display any popups, since I already accepted the use of this private key. and If i'll do seteuid to the current active user. I can get the identityRef in the same way I did in the user-mode instance of this Daemon, and when I send it on the completionHandler, It's already have access to this key, so the whole process will go without any user interaction. This flow is basically meant to bypass the Daemon failed attempt to allow keychain signing with the private key. since this isn't possible as the key reside in login keychain, and the Daemon cannot interact with the Windows server to triggers some popup windows. it's relatively complicated solution, but I don't have other choice giving how the certificate was installed in the keychain.

Hi Eskimo, So if I understand you correctly, since my identity (which represent the private key) cannot be exported from the login keychain, therefore I cannot set it in system keychain. In this case, what options do I left ? my main objective is to establish the https connection from the Daemon, and unfortunately, the certificate is installed only to the login keychain... maybe it's worth considering seteuid to the active user ? thanks !

Hi Eskimo, thanks for the thorough explanation. To your question, my user signing certificate (leaf certificate with private key installed in login keychain) is installed so that you cannot export the private key (once trying to import the object to p12 file - I get the following error An error has occcurred. Unable to export an item... The contents of this item cannot be retrieved") Basically, there's another software that deploy this certificate in the keychain, and I've no control over it (it's JAMF Self Service). So in this case, what are my options to pass the digital identity to the Daemon process ?

Hi Eskimo, Perhaps you can advise about the right approach in this matter ? I'm thinking about converting the SecCertificateRef objects in the certificate chain, into NSData type using method like SecCertificateCopyData. and convert them back to certificate type on the other side (the daemon side) before import each such certificate into the keychain. Do you recommend this approach ? thanks !

Luckily I control the user process code as well. This is how I create the NSURLCredentials in my user process   NSURLCredential *certificateBasedCredential = [NSURLCredential credentialWithIdentity:identityRef                                       certificates:certificateArray                                       persistence:NSURLCredentialPersistenceForSession]; where certificateArray contains of the certificates from the chain (until the agreed self signed CA). So your proposal is to simply pass this array of certificates to the Daemon so it can save them on the system keychain and use them when needed, right ? But is it possible to pass reference objects from type SecCertificateRef on the XPC ? or should I use different type ? Thanks !

That's for your point... for some reason the ForEach loop goes through the items twice. for example, if the list contain [a b c] so the foreach goes through: a b c a b c any idea why ?

Hi, did you manage to solve it. I also struggling with the same issue.