Hi, I'm currently trying to build my project from command line using Jenkins automation. However, although both methods are using the same code sign parameters, the UI based signing (from Xcode) succeed and when running from xcodebuild it fails for the reason below : /usr/bin/codesign --force --sign my_cert_id --timestamp\=none /Users/bla/file.dylib and the result is : Warning: unable to build chain to self-signed root for signer "Apple Development: userBuilder (...)" /Users/bla/file.dylib: errSecInternalComponent But the same command runs successfully when being invoked from Xcode. My questions are Do the certificate+private key are taken from the keychain in both cases ? Are there are environment variables that may exist only in the Xcode mode ? thanks

Hi In order to support continuous integration, I've made a builder image with macOS and Xcode installed and I'd like to automate the process of building my workspace targets. So I'm using the following command /usr/bin/xcodebuild clean build -workspace ./myproj.xcworkspace -configuration Release -scheme myScheme In my development machine I'm setting derived data location as relative to project directory from Xcode UI, so the build outputs are written under: my project path/DerivedData/myProj/Build/Products/Debug However, in the build image I cannot set the derived data path since it also serves other projects. Therefore, I'd like to find the appropriate flag to achieve similar behaviour from the xcodebuild command. This means setting derived data location accordingly for all the targets which are being created in the build command. I've tried flags like CONFIGURATION_BUILD_DIR=./DerivedData or  -derivedDataPath ./DerivedData but without success. Any idea where am I go wrong ?

I'm running the following command that means to decrypt object from type CFDataRef using key object from type SecKeyRef CFDataRef encryptedCfData = 			 SecKeyCreateDecryptedData(privateKeySecKey,	 						 kSecKeyAlgorithmRSAEncryptionOAEPSHA256, 						 (__bridge CFDataRef)[NSData dataWithBytes:payloadBuff length:payloadLen], 					 &cfErr); Unfortunately, on some scenarios it fails and I get the following errors : Error Domain=NSOSStatusErrorDomain Code=-50 "RSAdecrypt wrong input (err -27)" (paramErr: error in user parameter list) UserInfo={NSDescription=RSAdecrypt wrong input (err -27)} or this one : Error Domain=NSOSStatusErrorDomain Code=-50 "rsa_priv_crypt failed, ccerr=-23" (paramErr: error in user parameter list) UserInfo {NSDescription=rsa_priv_crypt failed, ccerr=-23} I'm trying to understand their meaning, the -50 indicate the one or more of the params are invalid. But what about the inner error codes (-23 and -27) and the meaning of their related strings ("error in user parameter list" and "RSAdecrypt wrong input"). Perhaps someone already have encountered those error messages and can tell me their meaning ? Thanks for the help !

I set the following global environment variables to launchd derives services : sudo launchctl setenv CA_DEBUG_TRANSACTIONS 1 sudo launchctl setenv CA_ASSERT_MAIN_THREAD_TRANSACTIONS 1 And indeed I saw that reflected on SecurityAgent (of type launchAgent) : sudo ps eww 3194 	PID	 TT	STAT			TIME COMMAND 3194	 ??	Ss		 0:00.19 /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent LaunchInstanceID=00000000-0000-0000-0000-00000001873A XPC_SERVICE_NAME=com.apple.security.agent.login CA_DEBUG_TRANSACTIONS=1 CA_ASSERT_MAIN_THREAD_TRANSACTIONS=1 PATH=/usr/bin:/bin:/usr/sbin:/sbin XPC_FLAGS=19 LOGNAME=_securityagent USER=_securityagent HOME=/var/db/securityagent SHELL=/usr/bin/false TMPDIR=/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/T/ But unfortunately, his helper XPC Service doesn’t get them : sudo ps eww 3195 	PID	 TT	STAT			TIME COMMAND 3195	 ??	Ss		 0:00.53 /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/XPCServices/SecurityAgentHelper.xpc/Contents/MacOS/SecurityAgentHelper XPC_SERVICE_NAME=com.apple.SecurityAgentHelper PATH=/usr/bin:/bin:/usr/sbin:/sbin HOME=/var/db/securityagent TMPDIR=/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/T/ XPC_FLAGS=19 LOGNAME=_securityagent USER=_securityagent SHELL=/usr/bin/false Any idea how set it in the helper too even if it’s an xpc service and not an agent, since they both runs by launchd: 	 92	3194		 1	 0 11:42AM ??				 0:00.19 /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent 	 92	3195		 1	 0 11:42AM ??				 0:00.53 /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/XPCServices/SecurityAgentHelper.xpc/Contents/MacOS/SecurityAgentHelper

For smartcard login, my certificate contain UPN which is lowercase formatted (i.e. user123). However, in DC its capitalized (i.e. User123). The login fails with the following log (taken from log show) : SmartCard - User is not paired with any smartcard . From the logs it seems that an attempt has been made to lookup this name by opendirectoryd but it has failed since the match policy is case sensitive (or as the logs says, CaseExact.) Here's the relevant message : 2020-12-24 12:40:44.901571+0200 0x1f237&#9;&#9;Info&#9;&#9;&#9;&#9;0x14742&#9;&#9;&#9;&#9;&#9;&#9;&#9;85&#9;&#9; 0 opendirectoryd: [com.apple.opendirectoryd:session] ODQueryCreateWithNode request, NodeID: E4648A1C-B2E1-4329-B702-5CADC51B9235, RecordType(s): dsRecTypeStandard:Users, Attribute:dsAttrTypeNative:dn, MatchType: EqualTo, Equality: CaseExact, Value(s): <private>, RequestedAttributes: dsAttrTypeStandard:AuthenticationHint,dsAttrTypeNative:_guest,dsAttrTypeStandard:AuthenticationAuthority,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeStandard:Rec ordType,dsAttrTypeStandard:GeneratedUID,dsAttrTypeStandard:PrimaryGroupID,dsAttrTypeStandard:RecordName,dsAttrTypeNative:original_authentication_authority, dsAttrTypeStandard:HomeDirectory,dsAttrTypeStandard:UniqueID,dsAttrTypeStandard:RealName,dsAttrTypeStandard:AppleMetaRecordName, dsAttrTypeNative:home_info,dsAttrTypeStandard:NFSHomeDirectory, Max Results: 1 Does the lookup make deliberately in case sensitive. I presume that it simply take the name from the certificate inside the smartCard, but is there an option to match with lowercase ? thanks

Hi, I'd like to load an xpcService for all active users in advance. Moreover, when new user become active, I want that a dedicated process for that user will be spawn automatically, and not wait for an xpc message. Here's my plist under /Library/LaunchAgent/: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt;         &lt;key&gt;Label&lt;/key&gt;         &lt;string&gt;com.company.service&lt;/string&gt;         &lt;key&gt;RunAtLoad&lt;/key&gt;         &lt;true/&gt;         &lt;key&gt;EnablePressuredExit&lt;/key&gt;         &lt;false/&gt;         &lt;key&gt;POSIXSpawnType&lt;/key&gt;         &lt;string&gt;Adaptive&lt;/string&gt;         &lt;key&gt;ProgramArguments&lt;/key&gt;         &lt;array&gt;         &lt;string&gt;/Applications/myApp.app/Contents/XPCServices/myXpcService.xpc/Contents/MacOS/myXpcService&lt;/string&gt;         &lt;/array&gt;         &lt;key&gt;MachServices&lt;/key&gt;         &lt;dict&gt;                 &lt;key&gt;com.company.service&lt;/key&gt;                 &lt;true/&gt;         &lt;/dict&gt; &lt;/dict&gt; &lt;/plist&gt; If I'm using launchctl load than launchd manage the processes for each user which means that the process can be invoked only once an xpc client decides it's needed to raise. Is there any way to run those processes in advance for all current users, and each additional user which becomes active ?

Hi, in loginwindow, there's an option to modify the login flow by changing the mechanisms list for authorizationRight system.login.console. I was wondering if there's any option to modify fileVault unlock mechanism to bypass password and use smartcard for example, using the same technic mentioned above. thanks !

Hi, my computer is bound to windows LDAP server. the connection is configured to use mobile account so I'd be able to login while the LDAP is unreachable. I'd like to extract domain name for my user. which is represented by the field dsAttrTypeNative:DomainName as can be shown in the following code :     ODNode * node = [ODNode nodeWithSession:[ODSession defaultSession] type:kODNodeTypeAuthentication error:&err];     NSArray * subnodeNames = [node subnodeNamesAndReturnError:&err];     for (NSString * subnodeName in subnodeNames) {         ODNode * subnodeObject = [ODNode nodeWithSession:[ODSession defaultSession] name:subnodeName error:&err];         id subnodeDetails = [subnodeObject nodeDetailsForKeys:nil error:&err];         NSArray * domainName = subnodeDetails[@"dsAttrTypeNative:DomainName"]; when LDAP connectivity is online, I can see that this field appears in subnodeDetails and it's equal to the concatenation of 2 string separated by dot (i.e MY-CORP.mycompanyname-dev.com). but when it's offline, this field doesn't appear even though I see that the LDAP user appears by running the following command id username. is there any way to extract domain name when LDAP is unconnected ? I could do something really patchy like running odrecord and append the DC fields from dsAttrTypeStandard:AppleMetaRecordName which include the following data : 'dsAttrTypeStandard:AppleMetaRecordName': 'CN=John Smith,CN=Users,DC=my-corp,DC=mycorpname-dev,DC=com' and this will result : my-corp.mycorpname-dev.com but perhaps there's an easier builtin alternative ?

My installer load XPC service and XPC client that attempt to call remote xpc method on that service. However, the service my be loaded arbitrarily and the client may get invalid connection since the service hasn't loaded yet. So far I haven't found any way get service-load indication, so I'm calling the retry method recursively from within the connection invalidationHandler. Is this the correct approach ? is there any wait-for-service event I can wait for ? (void) callXpcWithRetry { &#9;&#9;NSXPCConnection* hubConnection = [[NSXPCConnection alloc] initWithMachServiceName:@"com.bla.myservice" options:0]; &#9;&#9;hubConnection.remoteObjectInterface = getInterface(); &#9;&#9;[hubConnection setInvalidationHandler:^{ &#9;&#9;&#9;&#9;NSLog(@"Connection to keystore hub service invalidated .. retry in 5"); &#9;&#9;&#9;&#9;sleep(5); &#9;&#9;&#9;&#9;[ServiceDelegate callXpcWithRetry]; &#9;&#9;}]; &#9;&#9; &#9;&#9;[hubConnection resume]; &#9;&#9;id<myXpcProtocol> hub = [hubConnection remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { &#9;&#9;}]; &#9;&#9; &#9;&#9;[hub xpcProtocolMethodForUser:NSUserName()]; }

I've inherit from NSStoryboardSegue in order to implement a custom transition between 2 VCs. @interface MyReplaceSegue : NSStoryboardSegue @end @implementation MyReplaceSegue &#9;-(void)perform { &#9;&#9;NSViewController *s = self.sourceController; &#9;&#9; NSViewController *d = self.destinationController; &#9;&#9;[s.view.window.contentViewController addChildViewController:d]; &#9;&#9; &#9;&#9;[s.view.window.contentViewController transitionFromViewController:s toViewController:d options:NSViewControllerTransitionCrossfade completionHandler:^{ &#9;&#9;&#9;&#9;[s removeFromParentViewController]; &#9;&#9;}]; } It works most of the time. However, there's one transition which bring the method transitionFromViewController to the following assertion/exception : 2020-10-05 21:55:23.643066+0300 0x26141&#9;&#9;Default&#9;&#9; 0x2b33a&#9;&#9;&#9;&#9;&#9;&#9;&#9;5098&#9; 0&#9;&#9;myProc: (Foundation) *** Assertion failure in -[NSViewController transitionFromViewController:toViewController:options:completionHandler:], /BuildRoot/Library/Caches/com.apple.xbs/Sources/AppKit/AppKit-0.109/Controllers/NSViewController.m:917 2020-10-05 21:55:23.645250+0300 0x26141&#9;&#9;Error&#9;&#9;&#9; 0x0&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;5098&#9; 0&#9;&#9;myProc: (AppKit) [com.apple.AppKit:General] We must be the parent of fromViewController I'm not sure I understand the description We must be the parent of fromViewController.. I've set the dest viewController to be child of the source viewController. Perhaps anybody encountered such an exception ? I assume it relates to the nature of the source VC but I cannot figure out how ?