Nobody has any thoughts about this? 😩

Nobody has any thought or information about this? No pointers to resources?

I don’t have any intent on doing that, I am simply curious what happens — we’ve been asked to provide the process name for a connection, and in playing it out in my head, I realized the documentation was completely silent on this.

So put the 'c' after the target string? Wow. Let me try it but thanks! Wow thanks!

Ok, @eskimo, I am too dumb to figure this out. In particular, "a requirement that identifies the code you care about" (and note that I'm not getting messages via just XPC). I've gone over the code signing documents, and there's just so much "use a requirement that specifies what you want" without showing me enough about how to get what I want... There are multiple ways to express what I would like to do. I think I can easily break them down into two types. For these, I'm going to use B as some random process, and A as the process trying to do the checking. (A might be a network extension, an endpoint security process, or just sampling random pids so it can kill them off and see how things respond.) A wants to see if B is "legitimately signed." I believe "anchor apple or anchor apple generic" is a good starting place. But I also want to ensure that the Identifier belongs to whoever signed it. E.g., if it's signed "com.apple.sh" but was signed that way by me, that's not legitimate. Is there a way to tell that? A wants to see if B is part of its own organization. This would mean that they're signed the same way (e.g., same signing identity). (I was thinking about checking the identifier, but if A can see that B has the same signing identity as it, as long as it's not adhock 😄, that's correct.) If I use SecCodeCopySigningInformation(), with kSecCSSigningInformation, and then look for kSecCodeInfoCertificates in the dictionary... can I just check to see if they're all the same? Just a simple comparison of each element in each array? Maybe (2) is in fact so easy I just described it. But what about (1)?

Ok, so I have verified that (2) works! I can tell that an apple event came from my own buddies by comparing the certificates, which involved some work getting the audit token and doing stuff. Most of which I'd done before. So, again, thanks Quinn :). However, I still have no idea how to do (1).

Comparing certificates is not a good plan because it’s possible for two code items from the same organisation to be signed with different certificates. The obvious example of this is certificate expiration. If your Developer ID certificate expires and you renew it, it’ll be a different certificate. I thought about that; however, in this case, all of our executables are currently in the same bundle. They may be pulled out at some point, but I still have hopes of being able to do a drag&drop install ;). As a result, they will all be signed during the same build, and therefore with the same certificate. I keep thinking about "legitimate" and kinda keep leaning towards maybe it's not a problem. The big thing I think I want to know is if we decide to treat processes by tld.domain.company differently, then the process that says it is that, actually is that. As usual, you've given me more to think about which I always appreciate! If, for no other reason, it lets me refine what I'm trying to ask, and often to do.

Oh, also I was trying to figure out how to find my team id programmatically, I think.

You're luckier than I am -- I don't get any notification when my (transparent app proxy) changes state. I even changed my observer to get all notifications.

Wait now it's even weirder. It's only sometimes asynchronous?

No I'm stupid! I think I understand it now: the error handler is called on a later error. But, in my case, it's happening very shortly after I create the proxy, and that is what confused the heck out of me. Oy with the poodles!

As I said in my subsequent messages, I did figure it out -- I was being really dumb, for quite a long time. In retrospect, I can't see how I can remember which pant leg goes with which leg, honestly. ;) The truly ironic thing was that I was looking for a proxy equivalent to the invalidation handler for the connection, and it turns out I had the whole time, I was just dumb.

Surprisingly, the basic stuff seems to be surprisingly hard: what I was looking for was the equivalent of NEVPNStatusDidChangeNotification -- or basically, just a notification that a network change had happened. The behaviour causing this desire is if the sysex is disabled by the user, or if it dies, I want to be able to recover. Not too difficult, right? But polling is really a bad idea, and there isn't (that I can see?) a blocking "connect to XPC service" call. "Have everyone try to connect to their counterparts over xpc" is a fallback option, but I have a nagging but incomplete memory of a system-wide way to be notified if there are any network changes. (Reachability isn't it, since you need to give it an address to be able to reach, n'est-ce pas?)

Alas, no, NWPathMonitor does not get notified when the transparent app proxy is enabled or disabled. :(

Is there a sample or set of documentation for using that in Swift? (I'm still very, ahem, fuzzy on using-C-from-Swift.)