@DTS Engineer FB21870172 MacBook Pro, 16-inch, 2019. macOS 26.2 (25C56).

We distribute our product outside of the MAS (as a pkg). It consists of GUI app and several services. App is sandboxed but it uses custom sandbox profile rules. Services are installed as launchd daemons and are not located inside the app bundle. Services have xpc bundles and also use custom sandbox profiles.

At Apple Labs engineer told me to use LAContext ( LocalAuthentication.framework ), because this object is adopting NSSecureCoding protocol and can be used to authenticate user. The flow is simple. Create LAContext at main GUI. Authenticate user via canEvaluatePolicy() and evaluatePolicy() Send LAContext through XPC to your desired service. Call canEvaluatePolicy() and evaluatePolicy() again. However, I have a problem with last part. I made a wrapper object which carries LAContext through XPC. ( AuthorizationPayload ). It works fine and carries LAContext to service from main GUI. However, when I try to verify LAContext on service side, I receive errors: LAContext[61791:0] failed to initialize: Error Domain=com.apple.LocalAuthentication Code=-10 "Context not found." UserInfo={NSDebugDescription=Context not found., NSLocalizedDescription=Authentication failure.} and canEvaluatePolicy() also returns false with the same error. Additional. I also added this sandbox rule to my service. (allow mach-lookup (global-name "com.apple.CoreAuthentication.daemon") ) What can I do in this situation?

I have similar problem. Original post was several years ago. Is there any new features/API to retrieve AuthorizationRef by TouchID?

Intention I would like to add adapter for networking framework to socket-based transport layer at libgit2 library. Library This library creates ssl context as /// TCP, right? st->ctx = SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType); and sets security protocols as /// TLS SSLSetProtocolVersionMin(st->ctx, kTLSProtocol1) SSLSetProtocolVersionMax(st->ctx, kTLSProtocol12) libgit2 library defines an interface for socket-based api. You have to provide read/write functions for each "socket-based" adapter. The adapter write function signature is static ssize_t adapter_write(git_stream *stream, const char *data, size_t len, int flags) Adapters SecureTransport is relying on socket-based functions and it uses straightforward approach without callbacks. Read something, get result. Networking framework suggests a different approach with callbacks. So, instead of reading data in do-while loops, you have to add callbacks with "received/sent" partial result. Semaphore approach To adapt callback API I've added semaphore. Although I'm not sure this approach is efficient in terms of nw_connections. /// Rough draft static ssize_t apple_network_adapter_write(git_stream *stream, const char *data, size_t len, int flags) { apple_network_adapter_stream *st = (apple_network_adapter_stream *) stream; size_t data_len, processed; OSStatus ret; GIT_UNUSED(flags); data_len = min(len, SSIZE_MAX); nw_connection_t connection = ... ;/// retrieve connection dispatch_data_t ddata = dispatch_data_create(data, data_len, NULL, DISPATCH_DATA_DESTRUCTOR_DEFAULT); nw_content_context_t context = NW_CONNECTION_DEFAULT_MESSAGE_CONTEXT; /// We have to add semaphores for this API. /// Otherwise, it won't be able to "be" synced. dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); __block int errno = 0; __block processed_length = -1; nw_connection_send(connection, ddata, context, true, ^(nw_error_t _Nullable error) { if (error == NULL) { processed = len; } else { errno = nw_error_get_error_code(error); } dispatch_semaphore_signal(semaphore); }); dispatch_semaphore_wait(semaphore, DISPATCH_TIME_FOREVER); ret = errno; if (ret != noErr) { return apple_network_adapter_error(ret); } GIT_ASSERT(processed < SSIZE_MAX); return (ssize_t)processed; } Hint Also I find another hint with it that nearly every object in networking framework is defined as NSObjectProtocol object.