I'm looking into a newer XPC API available starting with macOS 14. Although it's declared as a low-level API I can't figure it how to specify code signing requirement using XPCListener and XPCSession. How do I connect it with xpc_listener_set_peer_code_signing_requirement and xpc_connection_set_peer_code_signing_requirement which require xpc_listener_t and xpc_connection_t respectively? Foundation XPC is declared as a high-level API and provides easy ways to specify code signing requirements on both ends of xpc. I'm confused with all these XPC APIs and their future: Newer really high-level XPCListener and XPCSession API (in low-level framework???) Low-level xpc_listener_t & xpc_connection_t -like API. Is it being replaced by newer XPCListener and XPCSession? How is it related to High-level Foundation XPC? Are NSXPCListener and NSXPCConnection going to be deprecated and replaced by XPCListener and XPCSession??

Hello, I have encountered several challenges related to System Integrity Protection (SIP) state detection and code signing requirements. I would like to seek clarification and guidance on the proper approach to programmatically determine the SIP state. Here are the issues I’ve encountered: XPC Code Signing Check APIs: APIs like setCodeSigningRequirement and setConnectionCodeSigningRequirement do not work when SIP disabled and that's ok given what SIP is. LaunchCodeRequirement API: When using Process.launchRequirement, the LaunchCodeRequirement API does not function anymore when SIP disabled. The IsSIPProtected requirement behaves in a way that is not clearly documented -- it appears to only apply to pre-installed Apple apps. Legacy APIs: Older APIs like SecCodeCheckValidity are likely to be non-functional, though I haven’t had the chance to validate this yet. Private API Concerns: So to mitigate those limitations I prefer my app to not even try to connect to untrusted XPC or launch untrusted Processes when SIP is disabled. The only way to determine SIP state I could find is a low-level C function csr_get_active_config. However, this function is not declared in any publicly available header file, indicating that it is a private API. Since private APIs cannot be used in App Store-distributed apps and are best avoided for Developer ID-signed apps, this does not seem like a viable solution. Given these limitations, what is the recommended and proper approach to programmatically determine the SIP state in a macOS application? Any insights or guidance would be greatly appreciated. Thank you!

Hello! I've just recently discovered LaunchCodeRequirement API and I'm exploring how it works compared to existing alternatives available for macOS versions below 14.4. Some questions I have with regards to safety of older and newer APIs examining the given example: func runProcess(executableURL: URL) throws { let process = Process() process.executableURL = executableURL if #available(macOS 14.4, *) { process.launchRequirement = try LaunchCodeRequirement.allOf { ValidationCategory(.developerID) SigningIdentifier("some-signing-identifier") TeamIdentifier("some-team-identifier") } } else { try secStaticCodeCheckValidity(executableURL) // Point #1 } do { try process.run() // Point #2 if #available(macOS 14.4, *) { // process.launchRequirement should take care of the process // and kill it if launchRequirement constraint is not satisfied } else { try secCodeCheckValidity(process.processIdentifier) // Point #3 } process.waitUntilExit() } catch { process.terminate() throw error } // Point #4 guard process.terminationReason == .exit else { throw SomeError() } } let requirement = """ anchor apple generic and identifier = "some-signing-identifier" and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf [subject.OU] = "some-team-identifier" """ func secStaticCodeCheckValidity(_ executableURL: URL) throws { // Init SecStaticCode from `executableURL` // Init SecRequirement from `requirement` let flags = SecCSFlags(rawValue: kSecCSBasicValidateOnly) guard SecStaticCodeCheckValidityWithErrors(code, flags, secRequirement, nil) == errSecSuccess else { throw CodeSignError() } } func secCodeCheckValidity(_ processIdentifier: Int32) { // Init SecCode from `processIdentifier` // Init SecRequirement from `requirement` guard SecCodeCheckValidityWithErrors(code, [], secRequirement, nil) == errSecSuccess else { throw CodeSignError() } } Before macOS 14.4+ flow There's still a small chance that between checking executable binary codesign requirement (Point #1) and launched process' one (Point #3) the binary could be replaced with something malicious and even get some CPU between Points #2 and #3 so technically it can't be 100% safe. Is that a correct statement? Any advices on making it safer? macOS 14.4+ flow Now let's see how launchRequirement is better. I guess initialized launchRequirement gets evaluated on running the process (Point #2). What does it exactly check? Executable at URL before launching the process (as OnDiskConstraint) or launched process (as ProcessConstraint)? Is there any chance the process gets some CPU before it's killed in case of failed codesign check? Any way to distinguish between codesign requirement termination and other reasons at point #4? It returns SIGKILL (9) as terminationStatus but it's not precise enough to be sure it was killed due to failed requirement check. I guess newer SecStaticCodeCheckValidityWithOnDiskRequirement & SecCodeCheckValidityWithProcessRequirement are the same as SecStaticCodeCheckValidityWithErrors & SecCodeCheckValidityWithErrors but a little simpler and can't be used as a 'more secure' way of validating codesign requirement. Thanks, Pavel

I was experimenting with Service Management API and Xcode project from https://developer.apple.com/documentation/servicemanagement/updating-your-app-package-installer-to-use-the-new-service-management-api and faced some issues with the API. I replaced agent with XPC service and tried to re-register it. Use case is a new app package installation with a newer service binary. In order to get the running service restarted with the new binary it's required to unregister old version and register new one. Otherwise the old version would be still running after app upgrade. The problem is that register fails with "Operation not permitted" error after running unregister which seems to work fine. Experiments with some delays (500ms) between unregister and register seem to help but it's a not a good solution to work around the problem. I'm using open func unregister() async throws with description: The completion handler will be invoked after the running process has been killed if successful or will be invoked whenever an error occurs. After the completion handler has been invoked it is safe to re-register the service. Sample output with no 500ms sleep between unregister and register calls: /Library/Application\ Support/YourDeveloperName/SMAppServiceSampleCode.app/Contents/MacOS/SMAppServiceSampleCode unregister && /Library/Application\ Support/YourDeveloperName/SMAppServiceSampleCode.app/Contents/MacOS/SMAppServiceSampleCode register Successfully unregistered LaunchDaemon(com.xpc.example.service.plist) Unable to register LaunchDaemon(com.xpc.example.service.plist): Error Domain=SMAppServiceErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedFailureReason=Operation not permitted} In fact it doesn't seem to be safe to re-register. Any explanation would much appreciated! ===================================================== Side issue #2: I tried to add a similar helper executable as in the original project with register/unregister and put it inside the same app bundle but at a different location like Contents/Helpers/ folder instead of Contents/MacOS. And it always fails with this error: Error Domain=SMAppServiceErrorDomain Code=3 "Codesigning failure loading plist: com.okta.service.osquery code: -67028" UserInfo={NSLocalizedFailureReason=Codesigning failure loading plist: com.okta.service.osquery code: -67028} When I moved the helper binary to Contents/MacOS/ folder along with the main app executable it starts working fine again. Other folders like Resources/XPCServices also don't work. Is it a hard requirement for an executable to be located inside main Contents/MacOS folder in order to be able to call SMAppService register/unregister APIs? I haven't found any documentation regarding this requirement. Thanks, Pavel