I have several executables, and I want them to be able to trust each other, since they grew up together and have had many bonding adventures together. When getting an XPC (or AppleEvents, thank you Quinn 😄) from another process, is there an easy way to find out if the other process is signed the same way the receiving process is? The code signing identity is easy to check, but of course it's also pretty easy to forge. (So this would be a variant, I think, of a question I asked a few months ago, how to see if a process is "properly" signed [which, as I said then, means it's got a valid code signature, and that is anchored "properly," which is to say something that would pass gatekeeper]. Only easier, because I really just want to say "here is my SecCode, here is this other process', are they both comparable?) Although I guess another thing would be to see if they're both in the same app group?

I've finally been installing our bundle into /Applications, and have noticed that this causes a crash report dialogue to come up whenever one of the components crashes. Which, at this point, is still fairly often (that's what asserts in debug builds are for!). But I really don't want to keep manually dismissing those windows; is there a way to stop them from coming up? (I mean, I still want the crash reports created and logged, but I have my own scripts that go through there to get new ones and cleanup the old ones.)

Unless I'm missing something (always possible)... there is no way to tell if you get a valid proxy back -- the error handler is asynchronous, and I don't see a way to say "this proxy is valid." Am I missing something?

Just to make sure I'm not once again doing something dumb or stupid: this notification only gets sent to the application that loads & starts the VPN? If I want some other process to be aware of it, I have to use the SC* APIs?

In a deamon, I register using: [[NSDistributedNotificationCenter defaultCenter] addObserver:loader selector:@selector(getNotifications:) name:kProxyStartNotification object:@"MyProxy"]; In the transparent proxy provider, I post using: static let dnc = DistributedNotificationCenter.default() // later Self.dnc.postNotificationName(.proxyStart,                                       object:"MyProxy",                                       deliverImmediately:true) (I also tried putting the same observer code in the containing app, just to be sure.) (Also, btw: the automatic conversion of kProxyStartNotification to Notification.Name.proxyStart is really sweet.) I'm not getting the notification in other processes. I tried putting an observer in the extension, and sure enough that did get the notification, so it is being generated. Just... not leaving my process. I tried checking for sandbox violations, using Quinn's instructions, but see nothing. I also tried [[NSDistributedNotificationCenter defaultCenter] addObserver:loader    selector:@selector(getNotifications:)     name:nil     object:@"MyProxy"]; (and the same in Swift, for the network extension), and -- as can be guessed by my still asking this question -- no luck.

I've got a system extension. There's a daemon that talks to it. Because I want the sysex to be able to reach out on its own, the daemon talks to the sysex over XPC, and passes over an anonymous endpoint, so that either side can initiate a message. This all works pretty well, and I'm happy with it. But the design, as is, means that if the sysex goes away for some reason, the daemon can't ever talk to it again. This shouldn't be too difficult a problem to fix -- I can tell when the XPC connections are invalidated, I just have to wait for the sysex to come back up. I am using notify(3) for this, and this does work. And this is the part that is frustrating, and I obviously think should even be impossible: after starting back up, sending a notification, and getting the anonymous endpoint from the daemon, and setting the connection to an NSXPCConnection, the connection ... gets set to nil. The problem is that since I've written this in Swift, I put an observer on the endpoint and log whenever it changes. And in the log, I see "changing it from nil to ", and then a log message saying "connection is non-nil, as it should be" and then... later it says the connection is nil. Without a "changing it from to nil". I am very, very frustrated.

I followed a tutorial on SwiftUI and macOS (and wow was it worth it, I understand more of what I was doing wrong before!). After the tutorial was done, I thought, okay, let's try adding CloudKit to it. Which was rather trivial to do, I was impressed. Then I thought, ok, let's try being able to have local or CloudKit, depending on runtime. But when I did that, the file was opened readonly, due to "Store opened without NSPersistentHistoryTrackingKey but previously had been opened with NSPersistentHistoryTrackingKey." This seems to be something a lot of people have run into, but for some reason I haven't found any actual fixes. Anyone know?

I've got a preference that requires the app to restart to take effect, so I would like to quit it. Using NSApp.terminate(nil) doesn't do it. Everything I can search for seems to be talking about iOS (and being able to relaunch the app would be good for iOS, if that's a doable thing?).

If I cruelly do a kill -9 on the process, it doesn't seem to automatically reconnect. This surprised me. Is there something I am supposed to do to tell it to do so?

This specifically seems to happen when my network extension is spawned by launchd, but has not actually been connected. (That is my conclusion based on the evidence: ps shows the process existing, but the logs show that main() hasn't run yet, let alone the proxy provider's init(). Without being able to debug launchd, I would say the situation is that launchd has said "yes this XPC port exists, when you try to connect to it I will send it on over to the extension, and thereafter you two will happily communicate directly," but the process hasn't gotten around to accepting XPC connections.) This seems to be most likely to happen when the extension crashes, or I kill -9 it to see how it handles respawning. I have a little CLI tool that talks (over XPC, of course) to the extension, mainly to say "Hi are you alive?" If the extension is not loaded, the XPC connection fails, as expected, and my tool says "NOT YET." If it is loaded and running, the XPC connection succeeds, as expected, and I get back a response of true. So my first question is: is this expected behaviour? My second question is: is there a way to do an XPC connection with a timeout?

My little network extension is running out of file descriptors. My suspicion is that something in the Security framework is not being deallocated, although even this doesn't make a great deal of sense: The extension looks at each flow, and gets a SecStaticCodeRef for it, finds the pathname, makes a decision, and stores the result of that decision in an NSCache<NSData, NSNumber> where the key is flow.metaData.sourceAppUniqueIdentifier. This goes through a couple layers of abstractions (the cache is in one Swift class, and it calls another Swift class that gets the security info and then returns the pathname, or throws an error). As an example, after running for a couple of days, it has 1074 open file descriptors for /System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd -- and only had 732 three hours ago.

I mean, I could do a readdir on /Library/SystemExtensions/, but that won't really tell me which ones are active. I could parse the output of systemextensionsctl list but that doesn't seem particularly good.

Despite updating to the most recent Xcode repeatedly, I was never able to add a swift package using Xcode -- it would get stuck at validation and never get past that. I filed a feedback (and may have asked here? can't find it) and never heard back. Today, I managed to figure it out, by creating a project on one machine (where it worked), and checking it out on one that didn't work. And when I tried to launch Xcode on the second machine... it told me that it couldn't use swift packages with a legacy build setting. I changed that (long, long, long set) preference, and... suddenly it worked. In case anyone else is as stubborn and ludditious as I am, and find this useful.

Is there a way to see which profiles are downloaded (in ~/Library/MobileDevice/ProvisioningProfiles) in a human-readable method using Xcode? Specifically, I'd like to know what type (and for which certificate(s)) each profile is. Looking at them with emacs is ... annoying, even for me. 😄

I can use /usr/bin/security to install a root CA, and to delete it (based on the file)... but how do I check to see if it's installed already? Surely there is a way to do this, other than security find-certificate -a | fgrep my.ca.name? Ideally from the shell level, but if I have to write a program I can (in which case I believe it'd be a relatively easy, albeit annoying because I hate writing certificate code, task)...