Hi, I'm working on macOS launchAgent based project, and using 3rd party code to upload big files to remote server. from time to time, I see that the upload rate is very slow and when i try it to use command line tool, the paste is much faster. Therefore, I believe that launchAgent based processes, may get low priority in using network bandwidth compared to foreground tools. I wonder if there's anything I can do on the process' info.plist file to get better prioritization on network resources. Perhaps I need to call the file uploader/downloader from dedicated XPC helper tool, but I prefer doing it from the same process. Thanks !

Hi, I'd like to allow only a specific process to read sensitive items from keychain (based on process signature using method SecItemCopyMatching), and fail any other read attempt. Is it possible, what are the access control rules I can define for keychain access if this is not possible ? I'm now using the default user keychain, perhaps I should create a different keychain with non-trivial access control, so that not all processes that are running with user context or even with root privileges, would be able to get the data. Thanks Here's my read example : func read(service: String, account: String) -> Data? { let query = [ kSecAttrService: service, kSecAttrAccount: account, kSecClass: kSecClassGenericPassword, kSecReturnData: true ] as CFDictionary var result: AnyObject? SecItemCopyMatching(query, &result) return (result as? Data) }

I'm signing using "Developer ID Application" and it suddenly started failing due to the following reason A timestamp was expected but was not found.. from the logs it looks like a failure to connect Apple's dedicated server. Perhaps there's a way to verify this theory, or get another timestamp server to be set in --timestamp option? thanks 2023-04-24 15:53:38.977560+0300 0x2e29ef5 Error 0x0 696 0 XPCTimeStampingService: (CFNetwork) NSURLConnection finished with error - code -1001 2023-04-24 15:53:38.977753+0300 0x2e29ef5 Default 0x0 696 0 XPCTimeStampingService: (CFNetwork) [com.apple.CFNetwork:Summary] Task <42F5893A-941A-4293-BB14-F75C42363836>.<0> summary for task failure {transaction_duration_ms=15792, response_status=-1, connection=817, reused=1, request_start_ms=0, request_duration_ms=0, response_start_ms=0, response_duration_ms=0, request_bytes=0, response_bytes=0, cache_hit=false}

Hi, I'm using 2 separated providers, each derived from dns and application providers respectively. in the application provider I use the object NETunnelNetworkSettings as input in method to setTunnelNetworkSettings to catch all network data originated from some specific applications (including dns packets). in the dns provider I'd like to catch all dns traffic in general disregarding any specific application where the request was originated from. in my experiment, If I avoid setting the DNS server addresses in DNSSettings inside NETunnelNetworkSettings, than all DNS originated from the specific application I set using the app proxy tunnel, will be destined to address 10.0.0.10 by default (and not the default DNS address). However, If I do set this DNSSettings value, I get the following block (in my example I set the app proxy to catch the traffic of zoom.us application) 2023-04-19 11:34:45.493033+0300 0x1206 Default 0x0 501 0 mDNSResponder: [com.apple.mDNSResponder:Default] [Q36288] ShouldSuppressUnicastQuery: Query suppressed for zoom.us. Addr (blocked by policy) 2023-04-19 11:34:45.493582+0300 0x1206 Default 0x0 501 0 mDNSResponder: [com.apple.mDNSResponder:Default] [Q14787] ShouldSuppressUnicastQuery: Query suppressed for zoom.us. AAAA (blocked by policy) my desire is to catch the application connections using the app proxy provider, and leave the dns requests/responses for the dns proxy provider. I know this might not be the best approach, but perhaps there's a way to "tell" my application proxy provider to "ignore" DNS packets on udp connection, and let the DNS proxy handle it (without getting blocked by policy error, which happen before the packet reaches any of the proxy providers.) thanks !

I'm looking for API to add a new kerberos credentials to macOS internal ticket store. Basically, I'd like to replace the whole authentication process with a proprietary component and not rely on the OS kerberos implementation, and get the following items: Client-to-server ticket encrypted using the resource's secret key. A new Authenticator encrypted using Client/Server Session Key I'd like to set these 2 items where the OS keeps these items to be used when communicating with the resource itself. Also, I'd like to keep another kerberos item retrieved after the first communication with the resource and it's used for SSO to allow additional request to the resource for a certain period of time. this item is the timestamp found in client's Authenticator encrypted using the Client/Server Session Key Is there an API I can use to inject those items to where the OS keeps the kerberos Items so it can use them when it access the resource itself.

Hi, I've built an installation package (file with .pkg suffix). when I double click the pkg file whereas newer version of the package is already installed, then the installer skip the downgrade process due to the following reason. 2023-02-22 20:19:11+02 my-Mac installd[744]: PackageKit: Skipping component “com.myapp.mycompany” (22.9.0-2209.0.0-*) because the version 23.2.3559-2302.3559.11638-* is already installed at /Applications/myapp.app. However, I still see that the preinstall and postinstall script being executed. Perhaps there's a way to either enable the downgrade, or disable it completely, so I won't get this partial install scenario. Is there a way I can get indication that the installer has skipped the file copying of the target pkg, from within the post/pre install scripts (so I can handle it properly) ?

Hi, I'm using NSURSessionDataTask in order to send REST command to remote server. the server doesn't request client-side verification in TLS, but the client does request server authentication as implemented in the following code if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { NSURLCredential* credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); However, even though I set the server certificate as "Trusted" I get the following failure : 2023-01-13 00:45:51.139349+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) System Trust Evaluation yielded stat us(-9802) 2023-01-13 00:45:51.139390+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) ATS failed system trust 2023-01-13 00:45:51.139413+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) Connection 132: system TLS Trust eva luation failed(-9802) 2023-01-13 00:45:51.139432+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) Connection 132: TLS Trust result -98 02 2023-01-13 00:45:51.139450+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) Connection 132: TLS Trust encountere d error 3:-9802 2023-01-13 00:45:51.139467+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) Connection 132: encountered error(3: -9802) 2023-01-13 00:45:51.139488+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) Connection 132: cleaning up 2023-01-13 00:45:51.139508+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) [com.apple.CFNetwork:Summary] Connec tion 132: summary for unused connection {protocol=“(null)“, domain_lookup_duration_ms=0, connect_duration_ms=0, secure_connection_duration_ms=0 , private_relay=false, idle_duration_ms=0} I also tried to connect the same URL from various browsers, and it passed those security checks... How can I figure out what is the problem here? I made sure that the server certificate is set to trusted on system keychain, and my process is running in elevated user mode. I know how to disable this check, but I prefer to understand exactly what It means and fix the certificate chain if needed. thanks

Hi, I've made a pkg installation file that usually works. However, for some setups I gets the following failure after postinstall finish (return 0) 2023-01-12 10:52:00-08 ESXBigSurVM-5 package_script_service[815]: Responsibility set back to self. 2023-01-12 10:52:00-08 ESXBigSurVM-5 installd[781]: PackageKit: Writing receipt for com.myprod.mycomp to / 2023-01-12 10:52:00-08 ESXBigSurVM-5 install_monitor[814]: Re-included: /Applications, /Library, /System, /bin, /private, /sbin, /usr 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: releasing backupd 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: allow user idle system sleep 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: Cleared responsibility for install from 773. 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: Cleared permissions on Installer.app 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: Install Failed: Error Domain=NSCocoaErrorDomain Code=513 "You don't have permission to save the file "com.myprod.mycomp.bom" in the folder "receipts"." UserInfo={NSFilePath=/var/db/receipts/com.myprod.mycomp.bom, NSUnderlyingError=0x7f92fe515760 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}} { NSFilePath = "/var/db/receipts/com.myprod.mycomp.bom"; NSUnderlyingError = "Error Domain=NSPOSIXErrorDomain Code=1 \"Operation not permitted\""; } 2023-01-12 10:52:01-08 ESXBigSurVM-5 installd[781]: PackageKit: Running idle tasks I've used the installer command with sudo, but i'm still getting the permissions issue ... sudo /usr/sbin/installer -pkg /path/to/my/file.pkg -target / Any idea why this is happening only in some setups (usually VMs running BigSur) ? and how could i prevent it ?

I have a MacOS network extension that activates 3 network "Proxies" (TransparentProxy, AppProxy and DNSProxy). To activate the proxies I do: NEAppProxyProviderManager.loadAllFromPreferences { saveToPreferences { error in if (error) { /* failed to save */ } /* saved */ } } Now I do this 3 times (once for each proxy). The behavior I observe is the following: Once the "saveToPreferences()" is called for the first time the app is installed, user gets an approval popup. Even before user clicks anything, the first 2 calls to "saveToPreferences" fail (both with the same message): Failed to save configuration MyTransparentProxy: Error Domain=NEConfigurationErrorDomain Code=10 “permission denied” UserInfo={NSLocalizedDescription=permission denied} The third call to "saveToPreferences()" does NOT return until a user either accepts or rejects the "allow vpn configuration" pop up. My question is, how can I make all the calls to block the completion callback until user decision ? For now, I figured out that this works as workaround: In the initialization of the first proxy I do: NEAppProxyProviderManager.loadAllFromPreferences { saveToPreferences { error in if (error) { /* failed to save */ } /* saved */ /* here I start the “next” proxies */ StartNextProxy(); } } In this case the first one is blocked until user accepts the pop up and once he does I start the second and the third proxies. This ensure avoidance of "permission denied" error as only one "saveToPreferences()" call waits for user approval. This doesn’t feel like the correct method to me, is there a way for multiple proxy manager to wait for "VPN Configuration" approval event ? Thanks !

I'm working on some app that has LaunchDaemon running on the background, and thus it requires some operations to be removed, prior to deleting the data/exe files. Is there an option to call an uninstall script upon drag-and-drop my app into the trash bin ? or at least, prevent the uninstallation and trigger popup window that tells the user this app cannot be removed until he unload the service (sudo launchctl stop /Library/LaunchDaemons... or sudo launchctl unload -w /Library/LaunchDaemons...) my app uses pkg file format for deployment, but I couldn't find any uninstall callback within this format. is there a way to do so ? Thanks

After macOS minor upgrade of Monterey I've noticed that a directory of mine that lies under /Library/Application Support/myCompany/myProj/myFolder has been mysteriously deleted. Is there a way to check in retrospect which process deleted my directory ? I know of fs_usage, but it's used to record ongoing file activities... the question is how to get file auditing event from the past. Thanks

I'm trying to understand where do I get the dns server configuration from. As I understand, if the file /etc/resolve.conf contain no servers, than it fallback to servers that are defined by the physical connection (Wi-Fi) However, once I removed all dns servers from /etc/resolve.conf, I got that my DNS is configured to the loopback address (127.0.0.1) instead of what the connection provides. nslookup > server Default server: 127.0.0.1 Address: 127.0.0.1#53 Default server: ::1 Address: ::1#53 and Here's the the default dns servers from the Wi-Fi connection: Here's what's configured by the interface : Perhaps anyone can tell me why doesn't the default DNS server is selected to 10.196.X.X as provided by the connection (instead I get the loopback address)

Hi, I've developed network extension that is being loaded from container application. Currently, i'd like to test the extension using development profile in signature. I've implemented 4 providers inside the extension, each derived from NE basic class. here are the definitions of my providers : @interface myAppProxyProvider : NEAppProxyProvider @interface myFilterDataProvider : NEFilterDataProvider @interface myFilterPacketProvider : NEFilterPacketProvider @interface myDnsProxyProvider : NEDNSProxyProvider and added them in the Info.plist accordingly: <key>NetworkExtension</key> <dict> <key>NEMachServiceName</key> <string>MY_TEAM_ID.com.myBrand.ext</string> <key>NEProviderClasses</key> <dict> <key>com.apple.networkextension.app-proxy</key> <string>myAppProxyProvider</string> <key>com.apple.networkextension.dns-proxy</key> <string>myDnsProxyProvider</string> <key>com.apple.networkextension.filter-data</key> <string>myFilterDataProvider</string> <key>com.apple.networkextension.filter-packet</key> <string>myFilterPacketProvider</string> </dict> </dict> I also gave the extension proper entitlements, that my developer provision profile supports. <dict> <key>com.apple.application-identifier</key> <string>MY_TEAM_ID.com.myBrand.ext</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>packet-tunnel-provider</string> <string>dns-proxy</string> <string> </array> <key>com.apple.developer.team-identifier</key> <string>MY_TEAM_ID</string> <key>com.apple.security.application-groups</key> <array> <string>MY_TEAM_ID.myGroup.com</string> </array> <key>com.apple.security.network.client</key> <true/> <key>com.apple.security.network.server</key> <true/> </dict> First, I activate the extension from the container app, so it set to [activated enabled] Then, In order to spawn the xpc client process, I start the xpc connection from the container application. but the process gets immediate exception and crash right after startup for the following reason : System Integrity Protection: enabledCrashed Thread:       0 Dispatch queue: com.apple.main-threadException Type:       EXC_BREAKPOINT (SIGTRAP) Exception Codes:      0x0000000000000001, 0x00000001aab620f8 Exception Note:       EXC_CORPSE_NOTIFYTermination Reason:   Namespace SIGNAL, Code 5 Trace/BPT trap: 5 Terminating Process:  exc handler [1268]Application Specific Information: Configuration error: Couldn’t retrieve XPCService dictionary from service bundle. The problem may hint wrong configuration of the Info.plist, no ? Any idea what can lead to this ? Thanks

Hi, I've like to calculate the path mtu between one of the local interfaces and a remote address. Perhaps there's such option using native networking framework like nsurlconnection ? Should I need to set the DF (don't fragment) bit and send to each hop in the path, or can I acquire this value from some cached storage per connection ? thanks

Hi, I'm using the reachability framework in order to register network status event for a specific address (address_st in the code below)... I'd like to support change of address which will trigger unregister from the old address and register to the new one. How can it be done ? SCNetworkReachabilityRef reachabilityRef = SCNetworkReachabilityCreateWithAddress(NULL, reinterpret_cast&lt;sockaddr *&gt;(&amp;address_st)); SCNetworkReachabilityContext context = {0, NULL, NULL, NULL, NULL}; SCNetworkReachabilitySetCallback(reachabilityRef, ReachabilityCallback, &amp;context)) SCNetworkReachabilitySetDispatchQueue(reachabilityRef, dispatch_queue_create("com.reachability.test", nil)); thanks,