This looks great but how do I use it from Swift (OSX only)? As you can see I use NSXPCConnection right now. I could switch the entire XPC codebase to ObjC for this but that is a drawback for sure. Anyways my reasoning was: If I use SecTrustCreateWithCertificates to validate the chain and the chain is OK, then I can query the certificates involved a bit more loosely and just check CN like above. One problem I want to solve is that I have a helper tool I talk to over XPC and sometimes it is the Developer ID signed version of this certificate and sometimes it is the notarised variant so two flavors of credentials are OK for me to trust. Otherwise I was using the approach from https://github.com/suolapeikko/PrivilegedTaskRunner/blob/master/PrivilegedTaskRunnerHelper/CodesignChecker.swift which relies on the fact that the certificate chain of both helper tool and connecting app need to be identical which at least to a layperson like me seems sound but is inflexible wrt the double-signing issue. This double-signing thing will go away when I develop the app less frequently and users only run notarised versions.

The reason for Xcode 14.2 not producing a working build wrt SMJobBless was that the CN in the imported Developer certificate had somehow changed. It contained the same developer id, but instead of my email address which had been part of the certificate CN, now it contained my real name instead. When I re-ran SMJobBlessUtil.py and changed the SMAuthorizedClients requirement, all worked. Had to use this version: https://gist.github.com/mikeyh/89a1e2ecc6849ff6056b7391c5216799 Thanks for the advice on how to migrate, I might work on that later. For now, I will keep SMJobBless for a while.