In order to set up an asynchronous query looking for a specific application, I have a predicate of:         NSPredicate *predicate = [NSPredicate predicateWithFormat:@"%K LIKE[cd] %@ AND %K = %@",                                                          @"kMDItemDisplayName", name,                                                          @"kMDItemContentType", UTTypeApplicationBundle.identifier]; I tested it with standalone code, and this did what I wanted -- finding applications with the given name. But recently, it seems to have stopped working. That query should be the equivalent of mdfind 'kMDItemDisplayName LIKE[cd] "Safari" AND kMDItemContentType == "com.apple.application-bundle"' but that gives me Failed to create query for 'kMDItemDisplayName LIKE[cd] "Safari" AND kMDItemContentType == "com.apple.application-bundle"'. If I drop the compound, and just do % mdfind 'kMDItemDisplayName LIKE[cd] "Safari"' then I get no output: % mdfind 'kMDItemDisplayName LIKE[cd] "Safari"' %  And yet clearly I do have Safari installed on my system. What am I doing wrong, or missing? Anyone?

In response to my feedback submission, apple says that our transparent network proxy is stopping because, somehow, the file descriptor for com.apple.flow-divert is being closed. Only, they haven't (yet?) given any advice on how to debug that -- the extension is written in Swift, and by itself does not close any file descriptor. So I have no idea how I'd go about trying to debug that, let alone fix it. Anyone have any thoughts about this?

xctrace --template Leaks identified this as a leak:         NSString *uuid = [NSString stringWithUTF8String:connectionID];         NSData *contentData = [NSData dataWithBytes:data length:length];         id<ConnexctionProtocol> proxy = [connection asyncConnectionProxy];         [proxy handleData:uuid data:contentData]; return; (Which is to say: a few thousand objects show up in the Leaks pane, the stack for them goes up to the NSData creation, and Leaks apparently thinks it's never released.) That doesn't look like it should be a leak, with ARC? Which probably means I'm doing something wrong?

We use CircleCI, so of course I've been spending the past week trying to get new secrets, profiles, certificates, and passwords in place. In the process, I went to generate a new Developer ID Application certificate. In the process of that I screwed up multiple times. So now I have four of them (five, actually -- one using the older cert so it expires Feb 1, 2027). They all have the same name. When I go to create a provisioning profile, there is no way to tell which one is which. No way to tell if they're being presented in the same order! Apple has told me they will not delete or revoke them, since it's not a security issue for these ones.

Why doesn't it have a way to see what the request was? You can see what extension it was for (the identifier property), but you can't tell whether it was for an installation, uninstallation, or properties request. Why is that?

This was discussed a bit, but it was a while ago, and I asked recently on the thread, but let's see if I can get more information this way. Normally if you're a process doing UDP I/O, you use a timeout of some sort (usually with recvfrom, or a read with an alarm signal or something). How is a network extension supposed to know that? Or is it supposed to assume that if a process signals done-with-writing, that it should treat both directions as closed? (This is definitely not the case with TCP, of course.) UDP has never really been my strong point in networking programming -- too late to only have it available, and too early to find TCP problematical for my needs. 😄

When doing UDP communications, the socket can either be connected, or not. If it's not connected, it can use sendto to send it to a different destination, and it can use recvfrom to receive from anywhere. (I honestly don't know how often this is used.) An NEAppProxyUDPFlow does not, as far as I can tell, have any way to tell if it has been connected. In fact, the API involved involves an array of datagrams tied to an array of endpoints. But if the provider and the app do not have the same connected state, the results could be not at all what the app expects. Is that correct? Or is it to be expected that it will only expect to get data from the set of destinations, and only that set?

I can get the security path "easily" enough, but for bundles, that gives me the top director, whereas I am trying to get the name of the executable. (I would have used kern.proc.pathname.$pid on FreeBSD, but that's not there for macOS, and kern.procname only gives the current process' name. I also found eskimo's post about getting process arguments, and I could use that to get all the arguments and only care about argv[0], but since the kernel does have p->p_name it'd be nice if there were a nicer way to get just that...) This is in the context of a network extension. Endpoint Security is much nicer in that regard. 😄

Title says it all -- there are a couple of things we might do differently during upgrades, but also we'd like to know for our own statistics. This is on macOS, so we can use /usr/bin/profiles, but I was curious if there was a way to tell programmatically that didn't involves system() or posix_spawn().

We include a root CA with our product. Is there a way to prevent a user from changing the trust settings? I couldn't find anything, but as this is on the outer edge of my current knowledge set, it's just as likely that I missed something.

sef% mdls /Applications/Google\ Chrome.app/Contents/Frameworks/Google\ Chrome\ Framework.framework/Versions/112.0.5615.137/Helpers/Google\ Chrome\ Helper.app kMDItemFSContentChangeDate = 2023-04-17 23:59:16 +0000 kMDItemFSCreationDate = 2023-04-17 23:59:16 +0000 kMDItemFSCreatorCode = "" kMDItemFSFinderFlags = 0 kMDItemFSHasCustomIcon = 0 kMDItemFSInvisible = 0 kMDItemFSIsExtensionHidden = 0 kMDItemFSIsStationery = 0 kMDItemFSLabel = 0 kMDItemFSName = "Google Chrome Helper.app" kMDItemFSNodeCount = 1 kMDItemFSOwnerGroupID = 0 kMDItemFSOwnerUserID = 0 kMDItemFSSize = 1 kMDItemFSTypeCode = "" sef% mdfind 'kMDItemFSName == "Google Chrome Helper.app"' So there's a metadata key that has a value... but mdfind won't find it. I haven't tried writing a small program to see if it would find it yet, although I am somewhat curious if it would.

I searched and couldn't find anything, which shocks me, I can't be the only person to ask this. Therefore my search skills are once again demonstrated to be weak. Given an EKCalendar, I can get the source thence sourceIdentifier... but that's just a UUID; can I get the actual URL for that? I assume it's somewhere?

I don't have enough physical machines to install Sonoma; I do, however, have lots of CPU cycles, memory, and disk space -- so can I get Sonoma running in VMWare Fusion? Ideally on both AS and Intel. I searched to see if this had been asked, but I will be the first to admit my searching skills are bad. (This is why I like find and grep.)

In some cases, one of our daemons will end up with thousands of threads. Clearly a bug somewhere, but I can't see it in the code. (Admittedly, it's C++ which is a bit alien to me still. Anyway.) If I wanted to just be notified each time a thread was created in the process, what are some ways to do that? I assume dtrace and lldb have ways to od it, but I'm not quite sure what.

We have our own root CA that is installed with our application. For non-MDM installs, the system asks if the user wants to do that, which is all well and good. It also used to ask us when removing that certificate. It doesn't now. So now I am wondering if I dreamed it, except other people say they also got prompted and don't now. It's being installed and removed using the security command, in scripts.