After adding the NSEndpointSecurityMachServiceName entitlement to my SYSEX's entitlements file and trying to install and load it on 10.15.6 and 11 beta 6, I get the following errors:
error 15:03:48.715632-0400 taskgated-helper <bundle id>: Unsatisfied entitlements: NSEndpointSecurityMachServiceName
error 15:03:48.715655-0400 taskgated-helper Disallowing: <bundle id>
default 15:03:48.716927-0400 amfid /Applications/<app name>/Contents/Library/SystemExtensions/<bundle id>.systemextension/Contents/MacOS/<bundle id> signature not valid: -67671
default 15:03:48.719367-0400 ReportCrash Parsing corpse data for process <bundle id> [pid 985]
default 15:03:48.717099-0400 kernel proc 985: load code signature error 4 for file "<bundle id>"
default 15:03:48.717768-0400 kernel Security policy would not allow process: 985, /Applications/<app name>/Contents/Library/SystemExtensions/<bundle id>.systemextension/Contents/MacOS/<bundle id> The host app and SYSEX are both signed and notarized with a Developer ID certificate that contains the com.apple.developer.endpoint-security.client entitlement and the appropriate provisioning profile. The host app and SYSEX both have the hardened runtime enabled, but with Code Signing Inject Base Entitlements off for release builds.
Thoughts?
Thanks in advance!
Post
Replies
Boosts
Views
Activity
Is it possible to access the choices global variable in an installation-check script when the package doesn't have choices that the end-user can interact with?
I'm referring to this:
https://developer.apple.com/documentation/installer_js/choice
It seems to imply that you can access the choices global variable, but any attempt to do so fails. For example, take the following:
<?xml version="1.0" encoding="utf-8"?>
<installer-gui-script minSpecVersion="2">
		<title>My Meta Package</title>
		<pkg-ref id="com.md4.myapp"/>
		<options customize="never" require-scripts="false" rootVolumeOnly="true" />
		<choices-outline>
				<line choice="default">
						<line choice="myapp"/>
				</line>
		</choices-outline>
		<choice id="default"/>
		<choice id="myapp" visible="false" title="this is a test" description="testing one" start_selected="true">
				<pkg-ref id="com.md4.myapp"/>
		</choice>
		<pkg-ref id="com.md4.myapp" version="1" onConclusion="none">mypackage.pkg</pkg-ref>
		<installation-check script="version_check()" />
		<script>
<![CDATA[
function version_check()
{
		title = choices.['myapp'].title;
		system.log("Performing custom installation check against version " + system.version.ProductVersion);
		system.log("Title " + title);
		return true;
}
]]>
		</script>
</installer-gui-script>
This results in the following:
Sep 8 15:32:56 THY-01-0236-LT Installer[85217]: IFJS: *** exception: SyntaxError: Unexpected token '['. Expected a property name after '.'. Is it possible to access the choices global variable in this manner? If so, what is the correct way/syntax to do it?
Thanks in advance!
I've read the following and tried to implement the fix in the following by adding the entitlement to the ES system extension, but I'm still having trouble getting multiple secondary apps to communicate with the ES system extension via XPC. Communication between the host app and system extension work just fine.
https://developer.apple.com/forums/thread/129551
Does this need to be added to all apps that need access? That seems like overkill.
I've also seen reference to several forum posts regarding the use of NSEndpointSecurityMachServiceName in the ES system extensions Info.plist file. I have yet to use this as I'm relying on the whole <teamid>.com.<org>.<productname>.xpc dance for now. Could this be related to the problem?
There are other forum posts that reference the app group in the provisioning profile. Does anyone have any insight there? Or is that something specific to NE?
Specifically, I have an authorization plugin and a preference pane that I would like to have communicate directly with the ES system extension so that I don't have to introduce another layer of XPC complexity such that it all has to be marshaled through the host app.
This is all signed with a Developer ID, so I'm not worried about distribution on the AppStore.
Thanks in advance.
I'm trying to use an SFAuthorizationView within a Preference Pane to present a user experience similar to system preference panes (e.g. Date & Time, Users & Groups, etc.) such that there is a lock icon. When the lock icon is clicked, I'd like it behave just like the system preference panes.There are two issues that I've found:1. When the lock is clicked, the dialog prompting the user for credentials is not presented as a sheet. Instead, it is a modal dialog window.Is there some way to present the view as a panel/sheet similar to some of SFAuthorizationView's cousins? Clearly there is a way to do this since the system preferences do this.2. On Mojave and earlier, the environment prompt text in the dialog is: "System Preferences wants to make changes." On Catalina, the environment prompt text in the dialog is "legacyLoader wants to make changes."This difference in behavior between macOS versions is a problem. Clearly, the environment prompt text is being derived from the process that runs the preference pane. Is there some way to modify the environment prompt text? If I were able to create the authorization with AuthorizationCreate() passing an AuthorizationEnvironment, I could change the environment prompt according to my needs.However, this doesn't appear to be possible with the limited methods available to SFAuthorizationView. The only thing remotely related is setAuthorizationRights: and when you add additional AuthorizationItems to the AuthorizationRights, they're apparently ignored.Is there a solution to these short of having to write my own implementation?Thanks.
Is anyone aware of sample code for System Extensions and Endpoint Security? For example, in the SOTU presentation it was mentioned that System Extensions along with Endpoint Security cover 75% of use cases. What use cases are the new APIs designed to cover? How can Endpoint Security be leveraged to replace the kauth API? How do these extensions fit within the context of their host app? Is there an Xcode project template to create them?When will the developer documentation be updated to provide more detail?Thanks!