Hello,
I'm trying to get my app to communicate with a FinderSync extension using XPC.
In my app, I run the listener:
_xpcListener = [[NSXPCListener alloc] initWithMachServiceName:_serviceName];
_xpcListener.delegate = self;
[_xpcListener resume];
Where _serviceName="a.b.c.d.e.f"
In Info.plist of the app bundle, I have:
keyMachServices/key
dict
keya.b.c.d.e.f/key
true/
/dict
In the FinderSync ext, I try to connect to the XPC service:
_xpcConnection = [[NSXPCConnection alloc] initWithMachServiceName:_serviceName options:0];
...
[_xpcConnection resume];
It works in debug, but not when the app is installed.
In this case, _xpcConnection.invalidationHandler is called.
The FinderSync ext belongs to the app bundle.
The .entitlements of the App:
?xml version="1.0" encoding="UTF-8"?
!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..."
plist version="1.0"
dict
keycom.apple.security.application-groups/key
array
stringa.b.c.d.e/string
/array
/dict
/plist
The .entitlements of the FinderSync:
?xml version="1.0" encoding="UTF-8"?
!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..."
plist version="1.0"
dict
keycom.apple.security.app-sandbox/key
true/
keycom.apple.security.application-groups/key
array
stringa.b.c.d.e/string
/array
/dict
/plist
The app is notorized:
% spctl --assess -vvvv /Applications/myApp.app
/Applications/myApp.app: accepted
source=Notarized Developer ID
origin=Developer ID Application: ...
In the Console, just after the start of the listener, there is this error (3 times) for myApp process:
Trust evaluate failure: [leaf TemporalValidity]
So I checked its certificates, but they are valid:
% codesign -dvvvv --extract-certificates /Applications/myApp.app
% openssl x509 -inform DER -in codesign0 -text
...
Validity
Not Before: Jun 22 11:59:25 2020 GMT
Not After : Jun 23 11:59:25 2025 GMT
..
% openssl x509 -inform DER -in codesign1 -text
...
Validity
Not Before: Feb 1 22:12:15 2012 GMT
Not After : Feb 1 22:12:15 2027 GMT
...
% openssl x509 -inform DER -in codesign2 -text
...
Validity
Not Before: Apr 25 21:40:36 2006 GMT
Not After : Feb 9 21:40:36 2035 GMT
...
The computer date is Ok:
% date
Thu Apr 8 09:20:44 CEST 2021
In the console, there is also this error for tccd process:
Prompting policy for hardened runtime; service: kTCCServiceAppleEvents requires entitlement com.apple.security.automation.apple-events but it is missing for accessing={identifier=a.b.c.d.e, pid=12245, auid=501, euid=501, binary_path=/Applications/myApp.app/Contents/PlugIns/Extension.appex/Contents/MacOS/Extension}, requesting={identifier=com.apple.appleeventsd, pid=328, auid=55, euid=55, binary_path=/System/Library/CoreServices/appleeventsd},
I tried to add this com.apple.security.automation.apple-events entitlement to App and ext, but it didn't fix the problem.
How can I debug this issue?
Thank you.
Post not yet marked as solved
Since Ventura (Mac M1 only), Endpoint Security extensions have lost the rights to launch:
=> es_new_client returns ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED
It is needed to reboot in Recovery mode, go to Startup Security Utility and select "Allow user management of kernel extensions from identified developers".
Is this something that will be fixed soon? (we can't ask our customers to do that)
Hello,
I have an app with Minimum system version = 10.13 in Info.plist.
This app embeds a sys ext whose Minimum system version is 10.15.
It's running in 10.15 and 11, but not in 10.14 and 10.13.
=> kLSIncompatibleSystemVersionErr
The sys ext is installed only if "@available(macOS 10.15, *)", the app can run without it.
How can I manage this issue?
Thank you.
Post not yet marked as solved
Hello,
I would like to intercept the open event on a file in order to load it from a cloud.
I am trying to use an EndpointSecurity extension but I don't know how to manage the "deadline" timeout.
I subscribed to the ES_EVENT_TYPE_AUTH_OPEN event. When I'm able to fetch the file before the event deadline, I call es_respond_flags_result with authorized_flags = 0xffffffff to accept, else I call it with authorized_flags = 0 to deny.
In the latter case, it is not satisfactory as the open process fails. How could I solve this issue?
Hello,
My app (embedding a Finder ext and Sys ext) is running well in my development machine (Big Sur with SIP disabled) but crashes at startup in Catalina (with SIP).
The app is signed and notarized.
Exception Type: EXC_CRASH (Code Signature Invalid)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace CODESIGNING, Code 0x1
I did the following checks:
codesign -dv --verbose=4 /Applications/myApp.app
Executable=/Applications/myApp.app/Contents/MacOS/myApp
Identifier=a.b.c.d
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=37422 flags=0x10000(runtime) hashes=1158+7 location=embedded
VersionPlatform=1
VersionMin=659200
VersionSDK=721152
Hash type=sha256 size=32
CandidateCDHash sha256=97cb5bb480cd24ee3f3abc025271110f481bef5a
CandidateCDHashFull sha256=97cb5bb480cd24ee3f3abc025271110f481bef5a601b72d7c0b1440d2188c096
Hash choices=sha256
CMSDigest=97cb5bb480cd24ee3f3abc025271110f481bef5a601b72d7c0b1440d2188c096
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=3915776
Executable Segment flags=0x1
Page size=4096
CDHash=97cb5bb480cd24ee3f3abc025271110f481bef5a
Signature size=8992
Authority=Developer ID Application: ...
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=19 May 2021 at 10:50:35
Info.plist entries=22
TeamIdentifier=...
Runtime Version=11.1.0
Sealed Resources version=2 rules=13 files=118
Internal requirements count=1 size=196
= Could the "Runtime Version=11.1.0" explain the issue?
Note that the deployment target is 10.15.
codesign -vvv --deep --strict /Applications/myApp.app
...
/Applications/myApp.app: valid on disk
/Applications/myApp.app: satisfies its Designated Requirement
spctl -a -t exec -vvv /Applications/myApp.app 2&1 | grep Notarized
source=Notarized Developer ID
security cms -D -i /Applications/myApp.app/Contents/Library/SystemExtensions/a.b.c.d.e.Extension.systemextension/Contents/embedded.provisionprofile
?xml version="1.0" encoding="UTF-8"?
!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "..."
plist version="1.0"
dict
keyAppIDName/key
string.../string
keyApplicationIdentifierPrefix/key
array
string.../string
/array
keyCreationDate/key
date2021-03-29T06:47:11Z/date
keyPlatform/key
array
stringOSX/string
/array
keyIsXcodeManaged/key
false/
keyDeveloperCertificates/key
array
dataMIIFtjCCBJ6gAwIBAgIIDPP2OBmNMQwwDQYJKoZIhvcNAQELBQAweTEtMCsGA1UEAwwkRGV2ZWxvcGVyIElEIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMjAwNjIyMTE1OTI1WhcNMjUwNjIzMTE1OTI1WjCBpTEaMBgGCgmSJomT8ixkAQEMCjg2NFZEQ1MyUVkxRTBDBgNVBAMMPERldmVsb3BlciBJRCBBcHBsaWNhdGlvbjogSW5mb21hbmlhayBOZXR3b3JrIFNBICg4NjRWRENTMlFZKTETMBEGA1UECwwKODY0VkRDUzJRWTEeMBwGA1UECgwVSW5mb21hbmlhayBOZXR3b3JrIFNBMQswCQYDVQQGEwJDSDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOPkChyZl1hPMQNeU+YEBi+lDQxQsFFmpjrFPpZNlM3noLKvzP8KI9uBs/TEt0Yx/OpbbuQHT+z0afr/eVepffT/c001dMMy96AwesjT0L3VI5tApzBC8Ds+iAXV0LBSkj41rcnxoRSH7tnOcIQ7pQbe2RJVBsc0R686b3lf8RTDDnKsDbYQ0NjLLRu+gg3XQaaF2YkGwavYlOH4W674UbhauyDp427yL4rHmpWqsWB16iKVLngATvhRsIAoMMDQNiqgpwFQvgM+RE87gWITXtMeiLJsN11ycZgC+NwIVlAgk6niLZkPJyQyRXtC/dMYUGlju0OxQJlR3aZ4FDUhl8UCAwEAAaOCAhMwggIPMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUVxftos/cfJihEOD8voctLPLjF1QwQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWRldmlkMDYwggEdBgNVHSAEggEUMIIBEDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBQSsj8IO9I/UtSJbMvBWka5Yp6GyTAOBgNVHQ8BAf8EBAMCB4AwHwYKKoZIhvdjZAYBIQQRDA8yMDE5MDkxNjAwMDAwMFowEwYKKoZIhvdjZAYBDQEB/wQCBQAwDQYJKoZIhvcNAQELBQADggEBABL6WyRaT4OIK8kEpcbAiLyy3J2MRuB9sWIyQR0iYoqZyd3D+I+kEhd25UCuMyxUN48nK1juNoKdHqtkEjl6xJqOioNMAGbBga3jHl8LTmOWZ8u5Vg2ODzsI2uX/oTmHelh1g6dAxk6nl2UBhiJdCTpszJXMPvOHUqIpbH8kRHhQUq+OoRXkkB32bJPd/fLyPjxnPz30tN4OFu6ms6rO08e1Z9avhQntwAMPi6OYy3LAED2n7NOSkdtpP8j9rFCz6yrcZyNjG0D045G1bIA8mVzU95j5bc68Bpb4NUKxC9vqkoUbNbM8vkTOVJmceuBqt3i+3bLRnfkeFwKrtDSeP00=/data
/array
keyEntitlements/key
dict
keycom.apple.developer.endpoint-security.client/key
true/
keycom.apple.developer.system-extension.install/key
true/
keycom.apple.application-identifier/key
string.../string
keykeychain-access-groups/key
array
string....*/string
/array
keycom.apple.developer.team-identifier/key
string.../string
/dict
keyExpirationDate/key
date2039-03-25T06:47:11Z/date
keyName/key
string.../string
keyProvisionsAllDevices/key
true/
keyTeamIdentifier/key
array
string.../string
/array
keyTeamName/key
string.../string
keyTimeToLive/key
integer6570/integer
keyUUID/key
stringdb2079f3-d329-4c03-b8ca-23a61ec3b305/string
keyVersion/key
integer1/integer
/dict
/plist%
Is there something bad here?
Thank you
Chris
Post not yet marked as solved
Hello,
In my FinderSync extension, I update file badges with the following instruction, but the Finder doesn't (always) refresh them.
[[FIFinderSyncController defaultController] setBadgeIdentifier:result forURL:[NSURL fileURLWithPath:normalizedPath]];
I tried without success to force the refresh with:
[[NSWorkspace sharedWorkspace] noteFileSystemChanged:path];
NSString *source = [NSString stringWithFormat:@"tell application \"Finder\" to update item (POSIX file \"%@\")", path];
NSAppleScript *appleScript = [[NSAppleScript alloc] initWithSource:source];
if (appleScript != nil) {
[appleScript executeAndReturnError:nil];
}
Hiding then showing the files (chflags) doesn't work better.
I'm in macOs Big Sur.
Any idea to get around this bug?
Thank you.
Chris
Hello,
I have implemented an Endpoint Security system extension with the NSEndpointSecurityMachServiceName property.
My app is able to connect to the extension using initWithMachServiceName and is able to run the functions exported by the extension.
But the reverse produces a strange error in the app process:
NSXPCConnection: 0x12f924aa0 connection to service on pid 30174 named a.b.c.d.e.f: Exception caught during decoding of received selector hello, dropping incoming message.
Exception: NSXPCDecoder: 0x10b909600 received a message or reply block that is not in the interface of the remote object (hello), dropping.
(
0 CoreFoundation 0x00007fff205f56af __exceptionPreprocess + 242
1 libobjc.A.dylib 0x00007fff2032d3c9 objc_exception_throw + 48
2 Foundation 0x00007fff212c73e4 -[NSXPCDecoder __decodeXPCObject:allowingSimpleMessageSend:outInvocation:outArguments:outArgumentsMaxCount:outMethodSignature:outSelector:isReply:replySelector:interface:] + 2244
3 Foundation 0x00007fff21312001 -[NSXPCDecoder _decodeMessageFromXPCObject:allowingSimpleMessageSend:outInvocation:outArguments:outArgumentsMaxCount:outMethodSignature:outSelector:interface:] + 33
4 Foundation 0x00007fff21310e3b -[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:] + 418
5 Foundation 0x00007fff212c8d49 message_handler + 206
6 libxpc.dylib 0x00007fff201c6c28 _xpc_connection_call_event_handler + 56
7 libxpc.dylib 0x00007fff201c5a9c _xpc_connection_mach_event + 935
8 libdispatch.dylib 0x00007fff202d8867 _dispatch_client_callout4 + 9
9 libdispatch.dylib 0x00007fff202efa47 _dispatch_mach_msg_invoke + 441
10 libdispatch.dylib 0x00007fff202de4a7 _dispatch_lane_serial_drain + 263
11 libdispatch.dylib 0x00007fff202f05b8 _dispatch_mach_invoke + 498
12 libdispatch.dylib 0x00007fff202de4a7 _dispatch_lane_serial_drain + 263
13 libdispatch.dylib 0x00007fff202df0fe _dispatch_lane_invoke + 426
14 libdispatch.dylib 0x00007fff202e8c5d _dispatch_workloop_worker_thread + 819
15 libsystem_pthread.dylib 0x00007fff20480499 _pthread_wqthread + 314
16 libsystem_pthread.dylib 0x00007fff2047f467 start_wqthread + 15
)
The "hello" function called from the extension is logically in the interface of the local object (the app). Why should it be in the interface of the remote object (the extension)?
hello is a very simple function: (void)hello;
Any idea to make it work?
Thank you.
Chris
Hello,
I don't manage to establish a connection between my Endpoint security system extension and my application.
The following command always returns nil:
NSConnection *conn = [NSConnection connectionWithRegisteredName:serverName host:nil];
It works from a FinderSync extension, so I'm sure that the server part (my application) is working.
I have "NSLogged" the "serverName", so I'm sure that it's correct.
Here is the entitlements of the app:
% codesign -d --entitlements :- /Applications/myApp.app
Executable=/Applications/myApp.app/Contents/MacOS/myApp
?xml version="1.0" encoding="UTF-8"?
!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http...PropertyList-1.0.dtd"
plist version="1.0"
dict
keycom.apple.security.application-groups/key
array
string123ABCDEFG.a.b.c.d/string
/array
/dict
/plist
The entitlements of my Extension:
% codesign -d --entitlements :- /Users/myuser/Library/Developer/Xcode/DerivedData/myApp-hjadpvvlcxmludafetdemwmwwglv/Build/Products/Debug/a.b.c.d.myAppLS.Extension.systemextension
Executable=/Users/myuser/Library/Developer/Xcode/DerivedData/myApp-hjadpvvlcxmludafetdemwmwwglv/Build/Products/Debug/a.b.c.d.myAppLS.Extension.systemextension/Contents/MacOS/a.b.c.d.myAppLS.Extension
?xml version="1.0" encoding="UTF-8"?
!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http...PropertyList-1.0.dtd"
plist version="1.0"
dict
keycom.apple.application-identifier/key
string123ABCDEFG.a.b.c.d.myAppLS.Extension/string
keycom.apple.developer.endpoint-security.client/key
true/
keycom.apple.developer.team-identifier/key
string123ABCDEFG/string
keycom.apple.security.application-groups/key
array
string123ABCDEFG.a.b.c.d/string
/array
keycom.apple.security.get-task-allow/key
true/
/dict
/plist
So, both belong to the same app group.
I'm able to start the extension successfully:
% systemextensionsctl list
1 extension(s)-- com.apple.system_extension.endpoint_security
enabled active teamID bundleID (version) name [state] * 123ABCDEFG a.b.c.d.myAppLS.Extension (1.0/1) myApp LS Extension [activated enabled]
But the connection to the app is not working.
What should I check?
Thank you.
chrilarc.