I’ve no idea why you’re getting this but it’s not a huge surprise: Authorisation plug-ins run in a very weird context.
It doesn't work even from the application context.
I ran 9 times a simple test containing only the following two line (I used PEAP as a authentication method):
[interface disassociate]; BOOL res = [interface associateToEnterpriseNetwork:network identity:nil username:myUsername password:myPassword error:&error];
2 times out of 9 I managed to connect to Wi-FI enterprise network without any prompts.
1 time out of 9 the method showed success, but I wasn't connected to Wi-Fi Enterprise network (It's strange, because in RADIUS server logs I see that "full access was granted")
6 times out of 9 the system kept asking for Wi-Fi credentials, which is weird because the correct credentials were specified as the parameters. Moreover, the associateToEnterpriseNetwork call was not blocking and terminated in a couple of seconds with the error code 1. But the credential prompt kept hanging, so I could enter the credentials and get connected to my enterprise network.
This behaviour looks unpredictable, it's quite glitchy .
As for the login window context, I tried to wrap the associateToEnterpriseNetwork method into a launched daemon and pull it from my authorisation plug-in. While I'm pulling the daemon being on the login window screen, I get the error -3903, the one i mentioned before. As soon as I leave the login window, my daemon stops showing the error -3903 and either works as expected or shows the error 1.
It looks like it's a bug.
Post
Replies
Boosts
Views
Activity
I dug into the problem a bit deeper.
I created a custom authorization plug-in with an empty mechanism that does absolutely nothing.
and inject the mechanism directly after "builtin:authenticate" for the right "authenticate".
In the case after locking the tab FileVault, buttons "Turn off FileVault..." and "Enable Users" work normally.
But if to SetContextValue for the key kAuthorizationEnvironmentUsername, buttons "Turn off FileVault..." and "Enable Users" stop reacting at all. The buttons don't react even if to get the value of the key kAuthorizationEnvironmentUsername from context and put it again with no changes. In the system logs, I see the following:
com.apple.preference.security.remoteservice Unlock user (<admin user>) is not found.
What is interesting ... changing kAuthorizationEnvironmentPassword only doesn't break the FileVault buttons.
Is that a known bug? Any workarounds?
Some update...
I was wrong about the bug reason. By clicking "Turn on FileVault..." with a custom authrorization plug-in, I see the following error:
default 01:05:58.196222+0300 opendirectoryd While verifying password: user <private> (<private>) is a SecureToken user
default 01:05:58.196247+0300 opendirectoryd While verifying password: user <private> (<private>) is a ShadowHash user
default 01:05:58.196268+0300 opendirectoryd While verifying password: using both SecureToken and ShadowHash
error 01:05:58.272387+0300 opendirectoryd Failed SecureToken authentication for AC6D2888-891E-4720-82F0-503A5D598030 other domain: invalid credentials
What is interesting, by unlocking the Preferences I see the the command above successful
default 01:13:13.362741+0300 opendirectoryd While verifying password: user <private> (<private>) is a SecureToken user
default 01:13:13.362768+0300 opendirectoryd While verifying password: user <private> (<private>) is a ShadowHash user
default 01:13:13.362792+0300 opendirectoryd While verifying password: using both SecureToken and ShadowHash
default 01:13:13.439127+0300 opendirectoryd Successful SecureToken authentication for AC6D2888-891E-4720-82F0-503A5D598030 other domain
default 01:13:13.545419+0300 opendirectoryd Verified password for <private> (AC6D2888-891E-4720-82F0-503A5D598030): SecureToken (ODNoError), Shadowhash (ODNoError)
default 01:13:13.545470+0300 opendirectoryd Verified password for <private> (AC6D2888-891E-4720-82F0-503A5D598030): SecureToken and Shadowhash results match
default 01:13:13.546567+0300 opendirectoryd AuthenticationAllowed: Evaluation result for record "<private>", record type "<private>": Success
default 01:13:13.546711+0300 opendirectoryd Authentication succeeded for <private>: ODNoError
default 01:13:13.546777+0300 opendirectoryd <private> (815A3688-FFFF-1D01-8C07-000001000000) is eligible for login hashes: SecureTokenOnly feature flag is not enabled
default 01:13:13.624443+0300 opendirectoryd Successful SecureToken authentication for AC6D2888-891E-4720-82F0-503A5D598030 other domain
default 01:13:13.624550+0300 opendirectoryd While setting credential for <private>: SecureToken is also set on the credential
We only support Touch ID from a standard app context. Folks ran into this on 10.15 (I think) where using Touch ID from a Network Extension provider stopped work. I’ve also researched this in the specific context of a pre-login context (a authorisation plug-in) and confirmed that this is not expected to work. Understood, thanks.
Can you suggest a better way to make a feature request for our customers then?
In Feedback Assistant there is no division into bugs and features.
Another question, all features are always for the public, and it's not possible to request a "private" feature from Apple especially for another company. I mean there is no partnership programs between Apple and another company?
Please correct me if I'm wrong.
I've just tested Beta 8. Unfortunately, the issues are still not fixed:
Here are the feedbacks that I've reported: FB8642358 (stuck on Login Window), FB8690483 (stuck while switching the user from the FUS menu)
Here are the feedbacks that I've reported: FB8642358 (stuck on Login Window), FB8690483 (stuck while switching the user from the FUS menu)
This crash is indeed fixed in Beta 6. However the login screen froze I tested Beta 6 and noticed the same issue.
The crash is definitely fixed, but authentication is stuck for "system.login.console" and "system.login.fus" rights with custom plug-ins (I tried three: our own, NameAndPassword and Apple's QAuthPlugins-3.0).
What is interesting authentication with a custom plug-in works properly for the rights: "authenticate", "system.restart", "system.shutdown".
Then I checked the logs and noticed that "loginwindow:done" never get called after successful call "loginwindow:success". Going further I noticed the error in SecurityAgent: "SecurityAgent Unable to get the user using a name, the user controller is not running".
default 17:25:21.191134+0300 authd engine 57: running mechanism builtin:reset-password,privileged (4 of 8)
default 17:25:21.192956+0300 authd engine 57: running mechanism builtin:auto-login,privileged (5 of 8)
default 17:25:21.194552+0300 authd engine 57: running mechanism builtin:authenticate-nocred,privileged (6 of 8)
default 17:25:21.486648+0300 authd engine 57: running mechanism loginwindow:success (7 of 8)
default 17:25:21.487188+0300 SecurityAgent loginwindow:success is being invoked
default 17:25:21.488545+0300 SecurityAgent nw_path_evaluator_start [8BCFEEBB-7E84-4759-8096-5D3197CE82A9 Hostname#74cc1d15:0 generic, indefinite]
path: satisfied (Path is satisfied), interface: en0, ipv4, dns
default 17:25:21.488821+0300 mDNSResponder [R536] getaddrinfo start -- flags: 0xC000D000, ifindex: 0, protocols: 0, hostname: <mask.hash: 'sjCIe59+OqYjy9AXN1miLA=='>, options: {}, client pid: 954 (SecurityAgent)
default 17:25:21.489845+0300 SecurityAgent The link monitor has been started
default 17:25:21.491861+0300 mDNSResponder [R536] getaddrinfo stop -- hostname: <mask.hash: 'sjCIe59+OqYjy9AXN1miLA=='>, client pid: 954 (SecurityAgent)
default 17:25:21.492181+0300 SecurityAgent Unable to get the user using a name, the user controller is not running
@eskimo, Is that a known bug? Any hope to get the fix in the release build of macOS 11?
Unfortunately, I didn't manage to find a workaround.
I reproduced that with a test app. The logs above are exactly from there.I call LAContext *context = [[LAContext alloc] init];
[context evaluatePolicy : LAPolicyDeviceOwnerAuthentication
localizedReason:@"Test"
reply: ^(BOOL success, NSError *error) {
if (success) {
} else {
NSLog(@"error = %@, %@", [error userInfo], [error localizedDescription]);
}
}];from(void)applicationDidFinishLaunching:(NSNotification *)aNotificationAnd there is nothing else in the app.
I represent the issue only after the logout-login sequence during the first policy call. After restart or power on, there is no issue at all.The full error in my case is:error = Error Domain=com.apple.LocalAuthentication Code=-1000 "UI activation timed out."
UserInfo={NSLocalizedDescription=UI activation timed out.}Some logs:com.apple.LocalAuthentication default 20:04:32.912683+0300 touchIDDemo Creating LAContext new cid:1com.apple.LocalAuthentication default 20:04:32.912785+0300 touchIDDemo runningInSystemContext = 0com.apple.LocalAuthentication default 20:04:32.913090+0300 touchIDDemo runningInOsxRecovery = 0com.apple.LocalAuthentication default 20:04:32.921514+0300 coreauthd Context[11:3112] createdcom.apple.LocalAuthentication default 20:04:32.921539+0300 coreauthd ContextProxy[18:11] created for Context[11:3112] pid:2824 uid:501com.apple.LocalAuthentication default 20:04:32.921648+0300 touchIDDemo LAContext[2824:1] created new cid:1com.apple.LocalAuthentication default 20:04:32.921709+0300 touchIDDemo evaluatePolicy:2 options:{ 2 = ddd;} on LAContext[2824:1] cid:2com.apple.LocalAuthentication default 20:04:32.921875+0300 coreauthd evaluatePolicy:2 options:{ 2 = ddd;}, uiDelegate:0 on ContextProxy[18:11] rid:25com.apple.LocalAuthentication default 20:04:32.923186+0300 coreauthd -[InstalledAppsCache pathForPid:] 2824 -> /Users/lex/Desktop/touchIDDemo/DerivedData/touchIDDemo/Build/Products/Debug/touchIDDemo.app on <private>com.apple.LocalAuthentication default 20:04:32.923368+0300 coreauthd -[InstalledAppsCache _localizedNameForBundle:] netiq.touchIDDemo -> touchIDDemo on <private>com.apple.LocalAuthentication default 20:04:32.923455+0300 coreauthd netiq.touchIDDemo was determined as bundle ID for pid 2824, but will show the name of touchIDDemocom.apple.LocalAuthentication default 20:04:32.923676+0300 coreauthd ACMRequirement:1, flags=0, state=1 -> MechanismPasscode[75]com.apple.LocalAuthentication default 20:04:32.923866+0300 coreauthd ACMRequirement:3, flags=0, state=1 -> MechanismTouchId[76]com.apple.LocalAuthentication default 20:04:32.923907+0300 coreauthd ACMRequirement:15, flags=0, state=1 -> MechanismWatch[77]com.apple.LocalAuthentication default 20:04:32.923949+0300 coreauthd +[MechanismKofN mechanismWithK:ofSubmechanisms:serial:] 1, ( "MechanismPasscode[75]", "MechanismTouchId[76]", "MechanismWatch[77]"), 0 on MechanismKofNcom.apple.LocalAuthentication default 20:04:32.924031+0300 coreauthd ACMRequirement:7, flags=0, state=1 -> <MechanismKofN: 0x0x7faf29411a80, k:1, submechanisms: ( "MechanismPasscode[75]", "MechanismTouchId[76]", "MechanismWatch[77]")>com.apple.BiometricKit default 20:04:32.924097+0300 coreauthd BKDevice::extendedBioLockoutState:forUser: 0x700005622390 501 (_cid 811262039)com.apple.BiometricKit default 20:04:32.928648+0300 coreauthd BKDevice::extendedBioLockoutState:forUser: -> 1 32 (null)com.apple.LocalAuthentication default 20:04:32.928801+0300 coreauthd isAvailable -> Error Domain=com.apple.LocalAuthentication Code=-11 "No AppleWatch was discovered." UserInfo={NSLocalizedDescription=No AppleWatch was discovered.}com.apple.LocalAuthentication default 20:04:32.928839+0300 coreauthd +[MechanismKofN mechanismWithK:ofSubmechanisms:serial:] 1, ( "MechanismPasscode[75]", "MechanismTouchId[76]"), 0 on MechanismKofNcom.apple.LocalAuthentication default 20:04:32.929059+0300 coreauthd uiMechanism: MechanismUI[80] nonUiMechanism: <MechanismKofN: 0x0x7faf29416920, k:1, submechanisms: ( "MechanismPasscode[75]", "MechanismTouchId[76]")>com.apple.LocalAuthentication default 20:04:32.929095+0300 coreauthd Started: <AuthenticationInProgress: 0x7faf29416a50 [pid:2824, uid:501, ahp:(null), started:(null)]>, replaced: (null)com.apple.LocalAuthentication default 20:04:32.929335+0300 coreauthd -[Daemon remoteAuthenticationInProgressWithPriority:reply:] on <private>com.apple.LocalAuthentication default 20:04:32.929375+0300 coreauthd -[AuthenticationManager remoteAuthenticationInProgressWithPriority:pid:reply:] on <private>com.apple.LocalAuthentication default 20:04:32.929435+0300 coreauthd cancelling running authentication: <AuthenticationInProgress: 0x7ff9d9407970 [pid:2629, uid:501, ahp:1, started:2020-04-14 17:03:46 +0000]> mechanism: MechanismTouchId[119]com.apple.LocalAuthentication default 20:04:32.929482+0300 coreauthd MechanismTouchId[119] will stop biometric operation: <BKMatchTouchIDOperation: 0x7ff9d9505260>com.apple.BiometricKit default 20:04:32.929503+0300 coreauthd BKOperation::cancel (_cid 66071432)com.apple.BiometricKit default 20:04:32.929548+0300 coreauthd BKOperation::cancel -> voidcom.apple.LocalAuthentication default 20:04:32.929579+0300 coreauthd MechanismTouchId[119] finished with Error Domain=com.apple.LocalAuthentication Code=-4 "Suspended FUS because of another authentication." UserInfo={NSLocalizedDescription=Suspended FUS because of another authentication.}com.apple.LocalAuthentication default 20:04:32.929747+0300 coreauthd -[AHPManager suspendAHPActivationWithError:] -> success on <private>com.apple.LocalAuthentication default 20:04:32.929769+0300 coreauthd FUS confirmation for <LAAuthenticationHintsProvider: 0x7ff9d912fdc0> will be destroyedcom.apple.LocalAuthentication default 20:04:32.930166+0300 coreauthd FUS confirmation for <LAAuthenticationHintsProvider: 0x7ff9d912fdc0> is stopping button monitoringcom.apple.LocalAuthentication default 20:04:32.930254+0300 coreauthd FUS confirmation for <LAAuthenticationHintsProvider: 0x7ff9d912fdc0> will be destroyedcom.apple.LocalAuthentication default 20:04:32.930668+0300 coreauthd FUS confirmation for <LAAuthenticationHintsProvider: 0x7ff9d912fdc0> is stopping button monitoringcom.apple.LocalAuthentication default 20:04:32.930687+0300 coreauthd biometry is now idle, 0 blocks in queuecom.apple.LocalAuthentication default 20:04:32.930715+0300 coreauthd ContextProxy[53:53] deallocatedcom.apple.LocalAuthentication default 20:04:32.930756+0300 coreauthd Context[53:3111] deallocatedcom.apple.LocalAuthentication default 20:04:32.931220+0300 coreauthd -[AuthenticationInProgressToken initWithPriority:pid:] 1, 348 on <private>com.apple.LocalAuthentication default 20:04:32.931292+0300 coreauthd registered authenticationInProgressToken: <_NSXPCDistantObject: 0x7faf2950a000>com.apple.LocalAuthentication default 20:04:32.931324+0300 coreauthd cancelling running authentication: <AuthenticationInProgress: 0x7ff9d9407970 [pid:2629, uid:501, ahp:1, started:2020-04-14 17:03:46 +0000]> mechanism: MechanismTouchId[119]com.apple.LocalAuthentication default 20:04:32.931334+0300 coreauthd MechanismUI[80] startingcom.apple.LocalAuthentication default 20:04:32.931374+0300 coreauthd clearing authentication: <AuthenticationInProgress: 0x7ff9d9407970 [pid:2629, uid:501, ahp:1, started:2020-04-14 17:03:46 +0000]>com.apple.LocalAuthentication default 20:04:32.931432+0300 coreauthd -[MechanismUI _showUI] _nonUiMechanisms: <MechanismKofN: 0x0x7faf29416920, k:1, submechanisms: ( "MechanismPasscode[75]", "MechanismTouchId[76]")> on <private>com.apple.LocalAuthentication default 20:04:32.931411+0300 coreauthd Will not run idle blocks now, remote authentications in progress: ( "<AuthenticationInProgressToken 0x7ff9d6d09540 [priority:1 pid:348]>")com.apple.LocalAuthentication default 20:04:32.931523+0300 coreauthd _backgroundMechanism: MechanismTouchId[76], _backgroundMechanism2: (null), _continueMechanism: (null), _fallbackMechanism: MechanismPasscode[75]com.apple.LocalAuthentication default 20:04:32.931611+0300 coreauthd XPC error: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service on pid 0 named com.apple.LocalAuthentication.DFR was invalidated from this process." UserInfo={NSDebugDescription=The connection to service on pid 0 named com.apple.LocalAuthentication.DFR was invalidated from this process.}com.apple.LocalAuthentication default 20:04:32.931654+0300 coreauthd XPC error: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service on pid 0 named com.apple.LocalAuthentication.DFR was invalidated from this process." UserInfo={NSDebugDescription=The connection to service on pid 0 named com.apple.LocalAuthentication.DFR was invalidated from this process.}com.apple.LocalAuthentication default 20:04:32.932540+0300 coreauthd -[InstalledAppsCache pathForPid:] 2824 -> /Users/lex/Desktop/touchIDDemo/DerivedData/touchIDDemo/Build/Products/Debug/touchIDDemo.app on <private>com.apple.LocalAuthentication default 20:04:32.932580+0300 coreauthd Activating UI via <NSXPCConnection: 0x7faf296096f0> connection to service on pid 0 named com.apple.LocalAuthentication.UIcom.apple.LocalAuthentication default 20:04:32.932729+0300 coreauthd XPC error: Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service on pid 0 named com.apple.LocalAuthentication.UI was invalidated." UserInfo={NSDebugDescription=The connection to service on pid 0 named com.apple.LocalAuthentication.UI was invalidated.}com.apple.LocalAuthentication default 20:04:32.939650+0300 coreautha LA logging set up for this process.com.apple.LocalAuthentication default 20:04:32.940707+0300 coreautha -[LADFRController connectionInvalidated] on <private>com.apple.LocalAuthentication default 20:04:32.941652+0300 coreauthd BKActiveOperationNotification token: 21com.apple.LocalAuthentication default 20:04:32.941715+0300 coreauthd Will not run idle blocks now, remote authentications in progress: ( "<AuthenticationInProgressToken 0x7ff9d6d09540 [priority:1 pid:348]>")com.apple.processmanager default 20:04:32.948429+0300 coreautha FRONTLOGGING: version 1com.apple.processmanager default 20:04:32.948450+0300 coreautha Registering, pid=2828com.apple.processmanager default 20:04:32.949444+0300 coreautha CHECKIN: pid=2828com.apple.runningboard default 20:04:32.954849+0300 runningboardd Resolved pid 2828 to [daemon<com.apple.LocalAuthentication.UIAgent(501)>:2828]com.apple.processmanager default 20:04:32.955159+0300 coreautha CHECKEDIN: pid=2828 asn=0x0-0x1d41d4 foreground=0com.apple.launchservices default 20:04:32.954956+0300 launchservicesd CHECKIN:0x0-0x1d41d4 2828 com.apple.LocalAuthentication.UIAgentcom.apple.runningboard default 20:04:32.956393+0300 runningboardd [daemon<com.apple.LocalAuthentication.UIAgent(501)>:2828] This process will not be managed.com.apple.runningboard default 20:04:32.956419+0300 runningboardd Now tracking process: [daemon<com.apple.LocalAuthentication.UIAgent(501)>:2828]com.apple.runningboard default 20:04:32.956895+0300 runningboardd Acquiring assertion targeting daemon<com.apple.LocalAuthentication.UIAgent(501)> from originator [daemon<com.apple.coreservices.launchservicesd>:138] with description <RBSAssertionDescriptor; uielement:2828; ID: 279-138-1018; target: 2828> attributes = { <RBSDomainAttribute: 0x7fb3f0508570; domain: com.apple.launchservicesd; name: RoleUserInteractive; sourceEnvironment: 0x0>;}com.apple.runningboard default 20:04:32.957046+0300 runningboardd Assertion 279-138-1018 (target:daemon<com.apple.LocalAuthentication.UIAgent(501)>) will be created as activecom.apple.runningboard default 20:04:32.957550+0300 runningboardd Acquiring assertion targeting daemon<com.apple.LocalAuthentication.UIAgent(501)> from originator [daemon<com.apple.coreservices.launchservicesd>:138] with description <RBSAssertionDescriptor; uielement:2828; ID: 279-138-1019; target: 2828> attributes = { <RBSDomainAttribute: 0x7fb3f23057c0; domain: com.apple.launchservicesd; name: RoleUserInteractive; sourceEnvironment: 0x0>;}com.apple.runningboard default 20:04:32.957606+0300 runningboardd [daemon<com.apple.LocalAuthentication.UIAgent(501)>:2828] Ignoring jetsam update because this process is not memory-managedcom.apple.runningboard default 20:04:32.957884+0300 runningboardd [daemon<com.apple.LocalAuthentication.UIAgent(501)>:2828] Ignoring resume because this process is not lifecycle managedcom.apple.runningboard default 20:04:32.957803+0300 runningboardd Assertion 279-138-1019 (target:daemon<com.apple.LocalAuthentication.UIAgent(501)>) will be created as activecom.apple.runningboard default 20:04:32.958121+0300 runningboardd [daemon<com.apple.LocalAuthentication.UIAgent(501)>:2828] Set darwin role to: UserInteractivecom.apple.runningboard default 20:04:32.958339+0300 runningboardd [daemon<com.apple.LocalAuthentication.UIAgent(501)>:2828] Ignoring GPU update because this process is not GPU managedcom.apple.runningboard default 20:04:32.959125+0300 runningboardd Finished acquiring assertion 279-138-1019 (target:daemon<com.apple.LocalAuthentication.UIAgent(501)>)com.apple.runningboard default 20:04:32.959146+0300 runningboardd Invalidating assertion 279-138-1018 (target:daemon<com.apple.LocalAuthentication.UIAgent(501)>) from originator 138com.apple.runningboard default 20:04:32.959427+0300 runningboardd Finished acquiring assertion 279-138-1018 (target:daemon<com.apple.LocalAuthentication.UIAgent(501)>)com.apple.TCC default 20:04:32.960861+0300 tccd -[TCCDAccessIdentity staticCode]: static code for: identifier com.apple.LocalAuthentication.UIAgent, type: 0: 0x7fe77bc3d4d0 at /System/Library/Frameworks/LocalAuthentication.framework/Support/coreautha.bundlecom.apple.TCC default 20:04:32.966909+0300 tccd -[TCCDAccessIdentity staticCode]: static code for: identifier com.apple.LocalAuthentication.UIAgent, type: 0: 0x7fe77b8352c0 at /System/Library/Frameworks/LocalAuthentication.framework/Support/coreautha.bundlecom.apple.processmanager default 20:04:32.972261+0300 coreautha Registered, pid=2828 ASN=0x0,0x1d41d4com.apple.processmanager default 20:04:32.972418+0300 coreautha Registered, pid=2828 cgConnectionID=82d03com.apple.processmanager default 20:04:32.973287+0300 coreautha BringForward: pid=2828 asn=0x0-0x1d41d4 bringForward=0 foreground=0 uiElement=1 launchedByLS=0 modifiersCount=0 allDisabled=0com.apple.AppKit default 20:04:32.976047+0300 coreautha Current system appearance, (HLTB: 1), (SLS: 0)com.apple.AppKit default 20:04:32.978091+0300 coreautha Post-registration system appearance: (HLTB: 1)com.apple.distnoted default 20:04:32.984481+0300 distnoted register name: com.apple.xctest.FakeForceTouchDevice object: com.apple.LocalAuthentication.UIAgent token: f4267 pid: 2828com.apple.dt.xctest default 20:04:32.987848+0300 coreautha Registering for test daemon availability notify post.com.apple.dt.xctest default 20:04:32.987970+0300 coreautha notify_get_state check indicated test daemon not ready.com.apple.processmanager default 20:04:32.990741+0300 coreautha SignalReady: pid=2828 asn=0x0-0x1d41d4com.apple.processmanager default 20:04:32.991208+0300 coreautha SIGNAL: pid=2828 asn=0x0x-0x1917396com.apple.TCC default 20:04:32.997421+0300 tccd -[TCCDAccessIdentity staticCode]: static code for: identifier com.apple.LocalAuthentication.UIAgent, type: 0: 0x7fe77b835dd0 at /System/Library/Frameworks/LocalAuthentication.framework/Support/coreautha.bundlecom.apple.AppKit default 20:04:33.006668+0300 coreautha NSApp cache appearance:-NSRequiresAquaSystemAppearance: 0-appearance: (null)-effectiveAppearance: <NSCompositeAppearance: 0x6000004e0900( "<NSAquaAppearance: 0x6000004e0700>", "<NSSystemAppearance: 0x6000004e0780>")>com.apple.distnoted default 20:04:33.010600+0300 distnoted register name: com.apple.nsquiet_safe_quit_give_reason object: com.apple.LocalAuthentication.UIAgent token: f428e pid: 2828com.apple.LocalAuthentication error 20:04:37.931924+0300 coreauthd showUI result: Error Domain=com.apple.LocalAuthentication Code=-1000 "UI activation timed out." UserInfo={NSLocalizedDescription=UI activation timed out.}com.apple.LocalAuthentication default 20:04:37.932081+0300 coreauthd -[MechanismUI willFinish] on <private>com.apple.LocalAuthentication default 20:04:37.932177+0300 coreauthd MechanismUI[80] finished with Error Domain=com.apple.LocalAuthentication Code=-1000 "UI activation timed out." UserInfo={NSLocalizedDescription=UI activation timed out.}com.apple.LocalAuthentication default 20:04:37.932924+0300 touchIDDemo evaluatePolicy on LAContext[2824:1] cid:2 returned Error Domain=com.apple.LocalAuthentication Code=-1000 "UI activation timed out." UserInfo={BiometryType=1, NSLocalizedDescription=UI activation timed out.}com.apple.LocalAuthentication default 20:04:37.933017+0300 coreauthd -[AuthenticationInProgressToken dealloc] on <private>default 20:04:37.933036+0300 touchIDDemo error = Error Domain=com.apple.LocalAuthentication Code=-1000 "UI activation timed out." UserInfo={NSLocalizedDescription=UI activation timed out.}com.apple.LocalAuthentication default 20:04:37.933332+0300 coreauthd -[AuthenticationManager _bkIsBusy] -> 0 on <private>com.apple.LocalAuthentication default 20:04:37.933106+0300 touchIDDemo LAContext[2824:1] deallocated
//Check out my Packaging a Daemon with a Provisioning Profile post.I modified my daemon as described in the post, but that didn't fix the issue.SecKeyCreateRandomKey never works for me when kSecAttrAccessControl is set from the daemon context.I've submitted a TSI (Technical Support Incident, Case ID: 733082779), so could you take a look?
)Hi Quinn,I tried with the provisioning profile, but it's still doesn't work (now with a different error). When the service is launched via launchctl (as a LaunchDaemon), I get the following error:SecKeyCreateRandomKey failed: Error Domain=NSOSStatusErrorDomain Code=-25291 "failed to generate asymmetric keypair" (errKCNotAvailable / errSecNotAvailable: / No trust results are available.But when the service is launched as an app or as a root (from the Contents/MacOS/*** folder) it works as expected.The service bundle has normal structure:Contents
embedded.provisionprofile
MacOS
MyServiceIn Xcode I added the "keychain sharing" Capability (with the empty keychain groups)When run the service app itsef, like:open MyService.appor as a root as:sudo MyService/Contents/MacOS/MyServiceSecKeyCreateRandomKey works as expectedBut when I load the service launchctl it fails with two different erros:sudo launchctl load /Library/LaunchDaemons/com.company.myservice.plist<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs$<plist version="1.0"><dict> <key>Label</key> <string>com.netiq.deviceservice</string> <key>ProgramArguments</key> <array> <string>/Library/Application Support/Company/MyService.app/Contents/MacOS/MyService</string> <string>start</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/></dict></plist>My Code: SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlocked,
kSecAccessControlUserPresence , &error);
NSDictionary *attributes = @{
(__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,
(__bridge id)kSecAttrKeyType: (__bridge id)kSecAttrKeyTypeEC,
(__bridge id)kSecAttrKeySizeInBits: @256,
(__bridge id)kSecPrivateKeyAttrs: @{
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject,
(__bridge id)kSecAttrIsPermanent: @YES,
(__bridge id)kSecAttrLabel: [NSString stringWithUTF8String:KEY_NAME],
},
};
SecItemDelete((__bridge CFDictionaryRef)attributes);
SecKeyRef privateKey = SecKeyCreateRandomKey((__bridge CFDictionaryRef)attributes, &error);With SecurityEnclave on(__bridge id)kSecAttrTokenID: (__bridge id)kSecAttrTokenIDSecureEnclave,I receive the error:SecKeyCreateRandomKey failed: Error Domain=NSOSStatusErrorDomain Code=-26276 "failed to generate asymmetric keypair" UserInfo={NSDescription=failed to generate asymmetric keypair}Without SecurityEnclave the error is different:SecKeyCreateRandomKey failed: Error Domain=NSOSStatusErrorDomain Code=-25291 "failed to generate asymmetric keypair" (errKCNotAvailable / errSecNotAvailable: / No trust results areAnd these two errors happen only when I launch the service through launchctl as a launch daemon.If to remove(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject,SecKeyCreateRandomKey works properly, but that's not what it need.Any ideas what's wrong? Thanks.
Hi Quinn,You wrote:What exactly is a “service-console application”? Specifically, during deployment (as opposed to development), how is this program started?I've already mentioned the structure of my daemon in one of my previews question regarding the "Input Monitoring" prompt. It's still a console app, but now it's also packed inside an app to get the "Input Monitoring" prompt. Also this daemon interrogates with a custom Authorization Plug-in.Btw, thank you very much for your suggestions regarding "Input Monitoring" 🙂. I have a Launch Daemon with a plist file located in /Library/LaunchDaemons.The plist is quite straightforward:<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>Label</key> <string>com.test.hardwareservice</string> <key>ProgramArguments</key> <array> <string>/Library/Application Support/[Vendor]/HardwareService.app/Contents/MacOS/HardwareService</string> <string>start</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/></dict></plist>HardwareService is based on the POCO library. It uses a ServerApplication class, and can work from the command line or asa service or daemon. Technically, HardwareService is a console application.
Hi Quinn,Sorry, I forgot to mention this. I have a Launch Daemon with a plist file located in /Library/LaunchDaemons.The plist is quite straightforward:<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>Label</key> <string>com.test.hardwareservice</string> <key>ProgramArguments</key> <array> <string>/Library/LaunchDaemons/Test/HardwareService</string> <string>start</string> </array> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/></dict></plist>HardwareService is based on the POCO library. It uses a ServerApplication class, and can work from the command line or asa service or daemon. Technically, HardwareService is a console application.I've tried to create a test console application without Poco that calls IOHIDDeviceOpen, the prompt ("keystroke receiving") was missing as well. The prompt is only shown when I call IOHIDDeviceOpen from a test application with a bundle.