Hello, I have an application which uses a helper[1] to download[2] files. When files download is a DMG and user mounts the image to run the application from this DMG it doesn't pass Gatekeeper. It presents the "Application XYZ.app can't be opened.". Same file downloaded via Safari shows a different dialog, the "XYZ.app is an app downloaded from the internet. Are you sure you want to open it?" In the system log I see this line: exec of /Volumes/SampleApp/SampleApp.app/Contents/MacOS/SampleApp denied since it was quarantined by Download\x20Helper and created without user consent, qtn-flags was 0x00000187 The application is running sandboxed and hardened, the main application has com.apple.security.files.downloads.read-write entitlement. Everything is signed by DeveloperID and passes all checks[3]. I tried to check the responsible process[4] of the helper. Then trivial stuff like download folder access in System Settings/Privacy & Security/Files & Folders. Everything seems to be fine. For what it worths the value of quarantine attribute is following: com.apple.quarantine: 0087;6723b80e;My App; The Safari downloaded one posses: com.apple.quarantine: 0083;6723b9fa;Safari;02162070-2561-42BE-B30B-19A0E94FE7CA Also tried a few more ways and got to 0081 with Edge and 0082 with a sample app with similar setup. Not sure if that has any meaning. What could I be doing wrong that Gatekeeper right away refuses to run the application from DMG instead of showing the dialog like in other cases? [1] The executable is in application bundle located in Contents/Helpers/DownloadHelper.app in the main application bundle. [2] Nothing fancy, curl + regular POSIX file operations [3] codesign, syspolicy_check, spctl [4] launchctl procinfo pid

Hello, I run into an issue on Monterey (12.7.5). I have a bundled XPC service in my application which is displaying some stuff and playin sounds via NSSound. I had a problem with playback due to service priority, so I use the trick with a reply block where I send a reply block to the service and basically just retain it and never call it. This worked fine so far, but we have users, predominantly on Monterey, who are having a problem with sound playback. It's choppy and distorted when their machine is under load (where "load" often just means playing a video on YouTube in Chrome). Is there anything else I can do to get the proper priority for my xpc service so I can avoid distorted sound? Additionally the service type is Application and RunLoopType is NSRunLoop with JoinExistingSession set to true. The QoS level of main queue is 0x21 (user interactive) and I'm calling all the NSSound APIs on main queue.

Hello, I'm facing a weird issue when application bundle is corrupted during installation. The corruption always look the same - a certain sequence of bytes is erased (zeroed) in the file at multiple places, which obviously breaks the bundle signature. It's a pkg built with productbuild, containing three component packages, up until recently no issue occurred. Everything is correctly signed and notarized and I don't do anything special in preinstall or postinstall scripts but I run gktool scan which reports "Scan completed, but failed because the software has been altered" which makes me believe that bundle is corrupted during installation or decompression. I'm using --compression latest for the bundle's component package. I don't have a reliable repro but I see it happen a lot to our customers. I was suspecting a deployment tool or "security software" but I've seen the issue for manually installed packages too. It seems it happens only on Sonoma, but that may be related to fact most users are on latest macOS. Is there any known issue with installer which could lead to bundle being corrupted this way? Did anyone faced anything similar?

Hello, I use setCodeSigningRequirement: in sandboxed XPCService and it seems that no matter what I always get errSecCSNoSuchCode[1] when the app is signed with development certificate. The same application signed with DeveloperID is fine. I use following CSR for development signed builds. identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and certificate leaf[field.1.2.840.113635.100.6.1.12] exists But also tried to simplify to identifier com.example.app or just true. If I validated the CSR with codesign -R I get "explicit requirement satisfied". I spotted this log line: Sandbox: com.example.app(67058) deny(1) file-read-data /Users/(...)/example-app/build/arm64-mac/src/mac/app/Debug/Example App.app/Contents/MacOS/ExampleApp So I disabled the sandbox for XPCService and now everything works. But then why the DeveloperID signed build works with XPCService sandboxed? ...or does it really? :) Just for completeness the CSR which I use in production build are: identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = EXAMPLE

Hello, The man page for xpcservices.plist states that: Services embedded in an application bundle will only be visible to the containing application (...) What exactly "visible" means? Doest that mean that there is a mechanism to prevent other programs than the embedding application to access the XPCService's mach port or it just means that the XPCService is not listed (e.g. launchctl list) and if attacker can guess the mach port they can access it? I'm asking to understand if there is a security gain using the -[NSXPCConnection setCodeSigningRequirement:] for embedded XPCServices.

Hello, I have an application which is running sandboxed and it also launches a child processes via posix_spawn. I already learned that child processes are running in the same sandbox as the launching application. What I wonder is if there is a way to launch the child with different sandbox profile from the parent application while maintaining the parent-child relationship? My use case is that helper applications doesn't need access to bunch of stuff the parent needs and we want to limit blast radius in case of security problem. I know that's what XPCServices are for, but we have a multi-platform code which is relying on POSIX process model quite heavily. Thank you

Hello, I have a Cocoa application from which I fork a new process (helper sort of) and it crashes on fork due to some cleanup code probably registered with pthreads_atfork() in Network framework. This is crash from the child process: Application Specific Information: *** multi-threaded process forked *** BUG IN CLIENT OF LIBPLATFORM: os_unfair_lock is corrupt Abort Cause 258 crashed on child side of fork pre-exec Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_platform.dylib 0x194551238 _os_unfair_lock_corruption_abort + 88 1 libsystem_platform.dylib 0x19454c788 _os_unfair_lock_lock_slow + 332 2 Network 0x19b1b4af0 nw_path_shared_necp_fd + 124 3 Network 0x19b1b4698 -[NWConcrete_nw_path_evaluator dealloc] + 72 4 Network 0x19af9d970 __nw_dictionary_dispose_block_invoke + 32 5 libxpc.dylib 0x194260210 _xpc_dictionary_apply_apply + 68 6 libxpc.dylib 0x19425c9a0 _xpc_dictionary_apply_node_f + 156 7 libxpc.dylib 0x1942600e8 xpc_dictionary_apply + 136 8 Network 0x19acd5210 -[OS_nw_dictionary dealloc] + 112 9 Network 0x19b1beb08 nw_path_release_globals + 120 10 Network 0x19b3d4fa0 nw_settings_child_has_forked() + 312 11 libsystem_pthread.dylib 0x100c8f7c8 _pthread_atfork_child_handlers + 76 12 libsystem_c.dylib 0x1943d9944 fork + 112 (...) I'm trying to create a child process with boost::process::child which does basically just a fork() followed by execv() and I do it before the - [NSApplication run] is called. Is it know bug or behavior which I've run into? Also what is a correct way to spawn child processes in Cocoa applications? As far as my understanding goes the basically all the available APIs (e.g. posix, NSTask) should be more or less the same thing calling the same syscalls. So forking the process early before main run loop starts and not starting another NSApplication in forked child should be ok ...or not?

Hello, I have sandboxed mac app which is launching a helper app. The main app has sandbox enabled and has get-task-allow entitlement. From main app I launch[1] a helper which is an application bundle located in Contents/Helpers of the main bundle. The helper has sandbox enabled and com.apple.security.inherit entitlement. Currently I have a problem attaching debugger to helper process or getting access to location services from it (but that's probably different issue). I checked the responsible process and it seems to set up to correct PID of the main application. The Xcode is reporting "Not allowed to attach to process" error and I see the same in the log: macOSTaskPolicy: (com.apple.debugserver) may not get the task control port of (com.****) (pid: 31628): (com.****) is hardened, (com.****) doesn't have get-task-allow, (com.apple.debugserver) is a declared debugger(com.apple.debugserver) is not a declared read-only debugger To add a more of the context what I'm trying to achieve is that we run certain parts of our app in separate child processes so we can restart then if anything goes wrong [2]. So I have few questions: Do I need to launch the helper (child) process a particular way to be able to attach debugger to it? Is there a tool to inspect sandboxes (rules applied and the inheritance)? Do I really need to explicitly enable sandboxing and inheritance on the helper app, doesn't it run in the parent' s sandbox anyway? Thank you. [1] We use boost::child_process for launching the helper, which is using popen behind the scene, but I have the same experience with NSTask. [2] I know that's what XPCServices are for but don't ask :-)

Hello, we have a bunch of macs which we use for running automated UI test and we need to allow services kTCCServiceScreenCapture and kTCCServiceAccessibility to our application bundles (it's a kind of a screen sharing application). We tried to do a direct change in: User's ~/Library/Application Support/com.apple.TCC/TCC.db but it doesn't take effect as it looks like these permissions need to be granted in system TCC database The system database at /Library/Application Support/com.apple.TCC/TCC.db is write-only due to rootless. Is there any other way than completely disable SIP to grant these TCC permissions to our bundles? Also we would be just fine to grant permissions manually when we're setting up the machine, but it seems these get reset from time to time. And that's my other question: How the TCC validation works? We're testing ad-hoc signed bundles as well as DeveloperID signed ones with the same Application ID and it seems that TCC gets confused over time and simply treats the permissions as not granted. Would modifying csreq in TCC.db record to contain only requirement identifier=my.bundle.app.id prevent this behavior or there is some other heuristics TCC uses for permission validation? Thank you, o/

I'm specifically talking about NSKeyValueBindingCreation. What I have to do to expose my custom properties in the Interface editor's binding inspector? I have a simple XIB with a custom view which is subclass of NSView with optionDescriptionsForBinding: and all other methods overrides described in NSKeyValueBindingCreation. Still it doesn't work for some reason. Is there any working example of custom NSView with exposed bindings?

Hello folks, Documentation for UNNotificationContentExtension says that it's supported on macOS 11.0+. Does that mean that notification content extension is supported for good ol' cocoa apps (i.e. not Mac Catalyst) on Big Sur and up? I'm asking because I created the extension, bundled it with my cocoa app and it doesn't seem to work at all and I'm not sure if I should keep digging or it's simply not supported. Also is there any recommended way how to troubleshoot issues with app extensions? I.e. looking for a logs of some service or some command line tool, anything? Thank you! o/

Hello, this question was asked in various forms a lot on this forum but I'm probably still missing the point, so I would like to ask if anyone can help me to clarify that :) I have two apps which need to communicate, both are sandboxed, hardened and in the same app group. In my particular setup it's Main.app and Helper.app, where Helper.app is embedded inside the Main.app (but I don't think that's that particularly important, just saying that in case it could be helpful). I was able to use CFMessagePort to make the communication possible by using port name prefixed with the app group id (like described here) - https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html#//apple_ref/doc/uid/TP40011183-CH3-SW24 that does exactly what I need expect it's not secure, namely I can't verify sender and all communication is basically public (any client knowing the name of the port can send messages there). I understand that CFMessagePort is kinda ancient leftover waiting to be deprecated and from reading its open sourced code from 2015 I understand that this requirements can't be met because (in)security is built in the code :( I turned my hopes towards XPC and was able to start the NSXPCListener with mach service in the Main.app and connect to the mach service with NSXPCConnection from the Helper.app. Unfortunately that works only from Xcode and I guess it has something to do with the debugserver being parent of the both apps not the launchd. Also for what it's worth, I was not able to verify the sender with SecCodeCopyGuestWithAttributes anyway as I got kPOSIXErrorEPERM (I tried the workaround with entitlement to access /private/var/db/mds). As I understood from other posts in this forum, this usage pattern is not supported and I have to have meditator in between the apps (the broker), which will allow both apps to exchange NSXPCListenerEndpoint and establish direct communication. Unfortunately again, the XPC service launched as private to the app can't be used for this because the other app can't connect to it, so I have to create .plist for launchd and load the service manually. . ...That's where I got stuck because I don't know how I would get this into App Store. As far as I know the LaunchAgents and Daemons are prohibited and only allowed are LoginItems, which don't seem suited for this to me. Also compared to CFMessagePort this solution with broker is total overkill to problem in the hand, technically I just need to send few "events" between the apps in acceptable time. So to sum up my "question": Is this XPC wrangling my only option? I was considering using raw mach messaging, which documentation is discouraging from on every step it seems or unix domain socket, which is kinda possessing the same security problems as CFMessagePort. Sorry for long post and thank you for reading it :)