Hi,
When postinstall tries to run another binary inside the ./scripts folder I package with pkgbuild, it gets killed by taskgated when the postinstall script tries to run it.
└── Contents
├── Helpers
├── Info.plist
├── MacOS
│ ├── UI
│ └──Worker
├── PkgInfo
├── Resources
│ ├── com.ui.plist
│ ├── com.worker.plist
│ └── icon.icns
├── _CodeSignature
│ └── CodeResources
└── embedded.provisionprofile
scripts:
├── token_installer
├── postinstall
├── token_installer
├── postinstall
How I am signing:
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force out/myapp.app/Contents/MacOS/UI
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force out/myapp.app/Contents/MacOS/Worker
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force ./scripts/token_installer
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force ./scripts/postinstall
codesign --entitlements entitlements.plist --timestamp --options=runtime --sign "$DEVELOPER_ID" --force out/myapp.app
echo "pkgbuilding..."
pkgbuild --root ./out/myapp.app --sign "$DEVELOPER_ID" --identifier com.myapp.app --version 1.0 --install-location /Applications/myapp.app --scripts ./scripts ./out/myapp.pkg
echo "productbuilding..."
# productbuild --distribution ./Distribution.xml --package-path ./out/myapp.pkg --resources . ./out/MyAppInstaller.pkg
productbuild --product requirements.plist --distribution ./Distribution.xml --package-path ./out/myapp.pkg --resources . ./out/MyAppInstaller.pkg
productsign --sign "Developer ID Installer: My Company Inc (***)" --force ./out/MyAppInstaller.pkg ./out/MyAppInstallerSigned.pkg
Sidenote: all binaries that are not the main executable, UI, get killed by taskgated, but I figured I will wrap the Worker in its own app Inside Helpers. I just do not see the point in doing that for the token_installer, since it should only be called once ever, during postinstall.
Is there a way to make it run without having to include it in the app bundle itself?
lsig
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
From
Reykjavik, ICE
Post
Replies
Boosts
Views
Activity
Hello,
I am having trouble with changing the ACL for a private key item my app is saving to the system keychain. I want to restrict access to the key, so that only my app can use the private key and not all applications. Applications that try to access it, should be prompted for an administrator password.
When I save the item as a private key, I get:
What I want:
note (I put a random binary but obviously this should be my app)
I am using rust bindings to the security framework, but an answer in swift would suffice. I am really stuck so any help would be greatly appreciated.
let key_options = GenerateKeyOptions::default()
.set_key_type(KeyType::ec())
.set_token(Token::Software)
.to_dictionary();
let key = SecKey::generate(key_options).map_err(|e| anyhow!("Could not generate a private key: {}", e))?;
let sys_keychain = mac::system_keychain()?;
let value = ItemAddValue::Ref(AddRef::Key(key.clone()));
let options = ItemAddOptions::new(value)
.set_label(format!("{}.{}", SERVICE, label))
.set_location(Location::FileKeychain(sys_keychain))
.set_access_group(ACCESS_GROUP)
.to_dictionary();
item::add_item(options).map_err(|e| anyhow!("Failed to add key item to keychain: {}", e))?;