How does xpc_connection_set_peer_code_signing_requirement work?

1. Is using teamID as a signing requirement enough?

Probably. You might want to tighten that up depending on your specific security goals. For example, you might want your distribution-signed server to not allow development-side clients.

For more background on this, and specific info on how Apple uses code-signing requirements in general, see TN3127 Inside Code Signing: Requirements.

2. How does xpc_connection_set_peer_code_signing_requirement work internally?

The exact mechanics of this are complex, but you can reasonable think of it as checking the requirement against the calling process. This is a code signing operation. You can prototype it with codesign, using the --verify subcommand. Two hints:

• A little known fact is that you can get codesign to operate on a process by supplying a PID as an argument.

• TN3127 shows how to request that codesign check a specific requirement.

You can also do this programmatically with the SecCodeCheckValidity family of routines.

WARNING This is fine for exploration, but don’t use it for a security check. Instead rely on xpc_connection_set_peer_code_signing_requirement. Doing this yourself exposes you to TOC/TOU problems.

3. Is there a way actually verify the clients signature(cryptographically) before establishing a connection with the server?

That’s exactly what xpc_connection_set_peer_code_signing_requirement does.

ps XPC Resources has links to a post where I discuss this in more detail, and a bunch of other useful links as well.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Lets say there are 3 certificates in the certificate chain- apple root, intermediate, leaf. The xpc client is codesigned using the leaf certificate.

Does xpc_connection_set_peer_code_signing_requirement verify the entire certificate chain?