We include a root CA with our product. Is there a way to prevent a user from changing the trust settings? I couldn't find anything, but as this is on the outer edge of my current knowledge set, it's just as likely that I missed something.

Title says it all -- there are a couple of things we might do differently during upgrades, but also we'd like to know for our own statistics. This is on macOS, so we can use /usr/bin/profiles, but I was curious if there was a way to tell programmatically that didn't involves system() or posix_spawn().

Coworkers are trying it and it's not working -- the google response says there was a problem with it, and not much else. I do not have a yubikey (at least not yet 😄), and I'm really not good at the GUI stuff so I don't know as much about it as I probably should. Searching the fora here found a question and comment that didn't make a lot of sense to me, but again I admit to a lot of ignorance here. So any pointers to where I should be look would be appreciated.

When doing UDP communications, the socket can either be connected, or not. If it's not connected, it can use sendto to send it to a different destination, and it can use recvfrom to receive from anywhere. (I honestly don't know how often this is used.) An NEAppProxyUDPFlow does not, as far as I can tell, have any way to tell if it has been connected. In fact, the API involved involves an array of datagrams tied to an array of endpoints. But if the provider and the app do not have the same connected state, the results could be not at all what the app expects. Is that correct? Or is it to be expected that it will only expect to get data from the set of destinations, and only that set?

I can get the security path "easily" enough, but for bundles, that gives me the top director, whereas I am trying to get the name of the executable. (I would have used kern.proc.pathname.$pid on FreeBSD, but that's not there for macOS, and kern.procname only gives the current process' name. I also found eskimo's post about getting process arguments, and I could use that to get all the arguments and only care about argv[0], but since the kernel does have p->p_name it'd be nice if there were a nicer way to get just that...) This is in the context of a network extension. Endpoint Security is much nicer in that regard. 😄

If I use NWConnection for a UDP connection, is there a way to get the peer name? Since it's not a stream, data can theoretically come from anywhere; at the C level, I'd use recvfrom which would tell me the remote address. I'm likely to be missing something obvious to everyone but me, I do have a tendency to look at problems as C problems. 😄

I'm beating my head against Apple here and it hurts. We made the request for Endpoint Security, and got it granted. However, it was only for development (and as we're looking to do non-app store distribution, I explicitly asked for one to go with our Developer ID Application certificate). At this point, I have used a TSI (thanks Quinn!) and possibly upset an internal contact by asking what I'm supposed to do, and gotten nowhere. At this point, I am sending an email message to the endpoint-review address every week, and I have gotten no responses at all. Has anyone successfully gotten this? If so... how? (No, let me amend that: I know some have, since I've seen it in the wild. I just have no idea what I'm supposed to do!)

To begin with: I know it's my code, because if I go back to our main branch and try it, I don't get this crash. But I can't figure out what it's unhappy about, so I'm not sure what changes I have to look for. (Also, this is macOS.) The daemon tries to communicate with a Network Extension over XPC. I have a class, with a shared instance, and I have a cached NSXPCConnection connection instance variable. So my code is something like id connection = [[ExtensionCommunication shared] connection], which is created by [[NSXPCConnection alloc] initWithMachServiceName:self.redirectorMachServiceName options:0]. With my changes (whatever they are), when it does [_connection resume], it crashes:   * frame #0: 0x00007ff8191ab20e libxpc.dylib`_xpc_api_misuse + 117     frame #1: 0x00007ff8191963a1 libxpc.dylib`xpc_connection_resume + 54 This happens whether the network extension is activated or not. The crash happens the second time this is called. (Hm, one thing I need to figure out then is why my cached connection object is being set to nil. It shouldn't be. hm.) Anyway! Any suggestions on how I can try to debug this?

This was discussed a bit, but it was a while ago, and I asked recently on the thread, but let's see if I can get more information this way. Normally if you're a process doing UDP I/O, you use a timeout of some sort (usually with recvfrom, or a read with an alarm signal or something). How is a network extension supposed to know that? Or is it supposed to assume that if a process signals done-with-writing, that it should treat both directions as closed? (This is definitely not the case with TCP, of course.) UDP has never really been my strong point in networking programming -- too late to only have it available, and too early to find TCP problematical for my needs. 😄

#include <stdio.h> #include <sstream> int main(int ac, char **av) { std::__1::basic_ostringstream<char, std::__1::char_traits<char>, std::__1::allocator<char> > x; x << "How now brown cow"; return 0; } If I build this on macOS 12, and try to run the binary on macOS 11, it fails because that symbol is not present in /usr/lib/libc++.1.dylib. If I compile it on macOS 11, and run on 11 or later, it works. Is this correct behaviour? Since the dylib version didn't change, I would expect that to mean no ABI changes.

Why doesn't it have a way to see what the request was? You can see what extension it was for (the identifier property), but you can't tell whether it was for an installation, uninstallation, or properties request. Why is that?

We use CircleCI, so of course I've been spending the past week trying to get new secrets, profiles, certificates, and passwords in place. In the process, I went to generate a new Developer ID Application certificate. In the process of that I screwed up multiple times. So now I have four of them (five, actually -- one using the older cert so it expires Feb 1, 2027). They all have the same name. When I go to create a provisioning profile, there is no way to tell which one is which. No way to tell if they're being presented in the same order! Apple has told me they will not delete or revoke them, since it's not a security issue for these ones.

In order to set up an asynchronous query looking for a specific application, I have a predicate of:         NSPredicate *predicate = [NSPredicate predicateWithFormat:@"%K LIKE[cd] %@ AND %K = %@",                                                          @"kMDItemDisplayName", name,                                                          @"kMDItemContentType", UTTypeApplicationBundle.identifier]; I tested it with standalone code, and this did what I wanted -- finding applications with the given name. But recently, it seems to have stopped working. That query should be the equivalent of mdfind 'kMDItemDisplayName LIKE[cd] "Safari" AND kMDItemContentType == "com.apple.application-bundle"' but that gives me Failed to create query for 'kMDItemDisplayName LIKE[cd] "Safari" AND kMDItemContentType == "com.apple.application-bundle"'. If I drop the compound, and just do % mdfind 'kMDItemDisplayName LIKE[cd] "Safari"' then I get no output: % mdfind 'kMDItemDisplayName LIKE[cd] "Safari"' %  And yet clearly I do have Safari installed on my system. What am I doing wrong, or missing? Anyone?

In response to my feedback submission, apple says that our transparent network proxy is stopping because, somehow, the file descriptor for com.apple.flow-divert is being closed. Only, they haven't (yet?) given any advice on how to debug that -- the extension is written in Swift, and by itself does not close any file descriptor. So I have no idea how I'd go about trying to debug that, let alone fix it. Anyone have any thoughts about this?

We got a crash in some code, I had managed to miss this topic entirely somehow. This says: Pointer authentication can also expose latent bugs in existing code. In C++, it’s incorrect to call a virtual method using a declaration that differs from its definition. In practice, such calls typically succeed in arm64, but trigger a pointer authentication failure in arm64e. You might encounter this bug when using OS_OBJECT types like dispatch_queue_t and xpc_connection_t. You can’t pass instances of these types from C++ code to an Objective-C++ function (or vice versa) because they’re defined differently in Objective-C++ to support automatic reference counting (ARC). and, yes, we have both C++ and ObjC++ code, and a class does have a dispatch_queue_t member, and it does get passed around (although I don't think anything other than ObjC++ code touches the member), but... the documentation there says "you can't d this" but has absolutely no information on what you are supposed to do instead. Again, I've managed to miss this completely, and my network searching ability is pretty awful, so I assume I simply couldn't find documentation on it? (And I can't stream video very well where I am right now.)