We use CircleCI, so of course I've been spending the past week trying to get new secrets, profiles, certificates, and passwords in place. In the process, I went to generate a new Developer ID Application certificate. In the process of that I screwed up multiple times. So now I have four of them (five, actually -- one using the older cert so it expires Feb 1, 2027). They all have the same name. When I go to create a provisioning profile, there is no way to tell which one is which. No way to tell if they're being presented in the same order! Apple has told me they will not delete or revoke them, since it's not a security issue for these ones.

Why doesn't it have a way to see what the request was? You can see what extension it was for (the identifier property), but you can't tell whether it was for an installation, uninstallation, or properties request. Why is that?

#include <stdio.h> #include <sstream> int main(int ac, char **av) { std::__1::basic_ostringstream<char, std::__1::char_traits<char>, std::__1::allocator<char> > x; x << "How now brown cow"; return 0; } If I build this on macOS 12, and try to run the binary on macOS 11, it fails because that symbol is not present in /usr/lib/libc++.1.dylib. If I compile it on macOS 11, and run on 11 or later, it works. Is this correct behaviour? Since the dylib version didn't change, I would expect that to mean no ABI changes.

This was discussed a bit, but it was a while ago, and I asked recently on the thread, but let's see if I can get more information this way. Normally if you're a process doing UDP I/O, you use a timeout of some sort (usually with recvfrom, or a read with an alarm signal or something). How is a network extension supposed to know that? Or is it supposed to assume that if a process signals done-with-writing, that it should treat both directions as closed? (This is definitely not the case with TCP, of course.) UDP has never really been my strong point in networking programming -- too late to only have it available, and too early to find TCP problematical for my needs. 😄

To begin with: I know it's my code, because if I go back to our main branch and try it, I don't get this crash. But I can't figure out what it's unhappy about, so I'm not sure what changes I have to look for. (Also, this is macOS.) The daemon tries to communicate with a Network Extension over XPC. I have a class, with a shared instance, and I have a cached NSXPCConnection connection instance variable. So my code is something like id connection = [[ExtensionCommunication shared] connection], which is created by [[NSXPCConnection alloc] initWithMachServiceName:self.redirectorMachServiceName options:0]. With my changes (whatever they are), when it does [_connection resume], it crashes:   * frame #0: 0x00007ff8191ab20e libxpc.dylib`_xpc_api_misuse + 117     frame #1: 0x00007ff8191963a1 libxpc.dylib`xpc_connection_resume + 54 This happens whether the network extension is activated or not. The crash happens the second time this is called. (Hm, one thing I need to figure out then is why my cached connection object is being set to nil. It shouldn't be. hm.) Anyway! Any suggestions on how I can try to debug this?

I'm beating my head against Apple here and it hurts. We made the request for Endpoint Security, and got it granted. However, it was only for development (and as we're looking to do non-app store distribution, I explicitly asked for one to go with our Developer ID Application certificate). At this point, I have used a TSI (thanks Quinn!) and possibly upset an internal contact by asking what I'm supposed to do, and gotten nowhere. At this point, I am sending an email message to the endpoint-review address every week, and I have gotten no responses at all. Has anyone successfully gotten this? If so... how? (No, let me amend that: I know some have, since I've seen it in the wild. I just have no idea what I'm supposed to do!)

If I use NWConnection for a UDP connection, is there a way to get the peer name? Since it's not a stream, data can theoretically come from anywhere; at the C level, I'd use recvfrom which would tell me the remote address. I'm likely to be missing something obvious to everyone but me, I do have a tendency to look at problems as C problems. 😄

I can get the security path "easily" enough, but for bundles, that gives me the top director, whereas I am trying to get the name of the executable. (I would have used kern.proc.pathname.$pid on FreeBSD, but that's not there for macOS, and kern.procname only gives the current process' name. I also found eskimo's post about getting process arguments, and I could use that to get all the arguments and only care about argv[0], but since the kernel does have p->p_name it'd be nice if there were a nicer way to get just that...) This is in the context of a network extension. Endpoint Security is much nicer in that regard. 😄

When doing UDP communications, the socket can either be connected, or not. If it's not connected, it can use sendto to send it to a different destination, and it can use recvfrom to receive from anywhere. (I honestly don't know how often this is used.) An NEAppProxyUDPFlow does not, as far as I can tell, have any way to tell if it has been connected. In fact, the API involved involves an array of datagrams tied to an array of endpoints. But if the provider and the app do not have the same connected state, the results could be not at all what the app expects. Is that correct? Or is it to be expected that it will only expect to get data from the set of destinations, and only that set?

Coworkers are trying it and it's not working -- the google response says there was a problem with it, and not much else. I do not have a yubikey (at least not yet 😄), and I'm really not good at the GUI stuff so I don't know as much about it as I probably should. Searching the fora here found a question and comment that didn't make a lot of sense to me, but again I admit to a lot of ignorance here. So any pointers to where I should be look would be appreciated.

Title says it all -- there are a couple of things we might do differently during upgrades, but also we'd like to know for our own statistics. This is on macOS, so we can use /usr/bin/profiles, but I was curious if there was a way to tell programmatically that didn't involves system() or posix_spawn().

We include a root CA with our product. Is there a way to prevent a user from changing the trust settings? I couldn't find anything, but as this is on the outer edge of my current knowledge set, it's just as likely that I missed something.

sef% mdls /Applications/Google\ Chrome.app/Contents/Frameworks/Google\ Chrome\ Framework.framework/Versions/112.0.5615.137/Helpers/Google\ Chrome\ Helper.app kMDItemFSContentChangeDate = 2023-04-17 23:59:16 +0000 kMDItemFSCreationDate = 2023-04-17 23:59:16 +0000 kMDItemFSCreatorCode = "" kMDItemFSFinderFlags = 0 kMDItemFSHasCustomIcon = 0 kMDItemFSInvisible = 0 kMDItemFSIsExtensionHidden = 0 kMDItemFSIsStationery = 0 kMDItemFSLabel = 0 kMDItemFSName = "Google Chrome Helper.app" kMDItemFSNodeCount = 1 kMDItemFSOwnerGroupID = 0 kMDItemFSOwnerUserID = 0 kMDItemFSSize = 1 kMDItemFSTypeCode = "" sef% mdfind 'kMDItemFSName == "Google Chrome Helper.app"' So there's a metadata key that has a value... but mdfind won't find it. I haven't tried writing a small program to see if it would find it yet, although I am somewhat curious if it would.

Playing with EventKit, I wanted to test requesting access. Which I did once. Yay. Now it's stuck in System Settings... and I don't know how to reset it. (This is on Ventura.)

I searched and couldn't find anything, which shocks me, I can't be the only person to ask this. Therefore my search skills are once again demonstrated to be weak. Given an EKCalendar, I can get the source thence sourceIdentifier... but that's just a UUID; can I get the actual URL for that? I assume it's somewhere?