Post

Replies

Boosts

Views

Activity

Unix Domain Socket, Network Framework and App Sandboxing
Dear Apple Developers, I am working on a macOS project where the container app acts as a server and communicates with a command-line program developed by my colleagues via a Unix domain socket. The macOS part was written using the new Network Framework. Here is a snippet of the code: let params = NWParameters() let socketFile = URL(fileURLWithPath: socketPath) params.defaultProtocolStack.transportProtocol = NWProtocolTCP.Options() params.requiredLocalEndpoint = NWEndpoint.unix(path: socketFile.path) params.allowLocalEndpointReuse = true self.listener = try! NWListener(using: params) listener?.newConnectionHandler = ... listener?.start() When my colleague's program needs to send data, it connects to the socket created by the macOS app, and the data is received perfectly—unless the macOS app is sandboxed. I have added outgoing and incoming connections entitlements to the macOS app. I tested my colleague's program both embedded in the macOS app and separately, ensuring to add the com.apple.security.inherit entitlement as well. However, it still doesn't work when the macOS app is sandboxed. The socket file's permission is srwxr-xr-x@ and is located in the containers folder when sandboxed, and srwxr-xr-x and HOME/Library/Application Support/MyApp when not sandboxed. What could be going wrong? Does the Network Framework support this use case, or do I need to revert to using AF_UNIX? Thank you for your assistance. Best regards. ps. My colleagues' program was written in go, using a standard function conn, err := net.Dial("unix", "socket_path_in_container"). It outputs invalid argument error when the macOS App is sandboxed.
2
0
662
Jun ’24
Network Extension Signed by Developer ID Not Activating
Hello, I am working on a macOS VPN app using Network Extension's packet tunnel capability. When the container app (referred to as "App" below) and the network extension plugin (referred to as "NE" below) are signed with my development certificate, everything works perfectly. However, when they are signed with a Developer ID certificate, the network extension refuses to activate. Here are the details: The App has sandbox set to off, but the NE has sandbox set to on. I managed to archive and notarize both Developer ID signed App and NE. The Debug version and Release version don't use the same App ID or App Group ID to make sure there is no interference. I am aware that the NE entitlement value changes if signed by Developer ID. I followed the instructions and used packet-tunnel-provider-systemextension instead of packet-tunnel-provider. I tested adding System Extension capability into the App, but it made no difference. The activate tunnel function returns NEVPNError.Code.configurationInvalid, but I don't think the configuration is invalid. The same configuration works with a development profile. In the system console, I observed the following log messages: Looking for an extension with identifier {NE_BUNDLE_ID} and extension point com.apple.networkextension.packet-tunnel Found 1 extension(s) with identifier {NE_BUNDLE_ID} and extension point com.apple.networkextension.packet-tunnel Beginning extension request with extension {NE_BUNDLE_ID} Assertion 395-24105-185921 (target:[xpcservice<{NE_BUNDLE_ID}([osservice<com.apple.neagent(512863558)>:24105:24105])(512863558)>:42188]) will be created as active [0x12be187f0] activating connection: mach=false listener=false peer=false name={NE_BUNDLE_ID}.apple-extension-service Entitlement com.apple.application-identifier={APP_GROUP_ID} is ignored because of invalid application signature or incorrect provisioning profile Entitlement com.apple.security.application-groups=( {APP_GROUP_ID} ) is ignored because of invalid application signature or incorrect provisioning profile {APP NAME}[42130]/1#5 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier nor com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={numberOfErrorsDeep=0, NSDescription=Client has neither com.apple.application-identifier nor com.apple.security.application-groups nor keychain-access-groups entitlements} Any guidance or suggestions would be greatly appreciated. Thank you!
5
0
597
Jun ’24
[SwiftUI & iOS 15] Changing the blur radius makes the navigation bar overlap with the status bar
Hello Apple, I have an SwiftUI app and I am currently experiencing a layout issue in iOS 15, if the app is built by Xcode 13. SwiftUI View has a build-in blur modifier. My app has a lock/unlock feature, I use .blur(radius: ) to hide and unhide the home page. It has been working very well since the introduction of SwiftUI (iOS 13). However, with the app built with the new Xcode 13 for iOS 15. Changing the blur radius value can make the navigation bar overlap with the status bar (please see the screenshot). I did the following demo app to show the issue. import SwiftUI struct Item { let id: Int let name: String } class ItemManager { static func generate() -> [Item] { return [Item(id: 1, name: "Hello"), Item(id: 2, name: "World")] } } struct ContentView: View { @State private var isLocked = true var body: some View { ZStack { // Main Content NavigationView { ScrollView { ForEach(ItemManager.generate(), id: \.id) { item in NavigationLink(destination: Text(item.name)) { VStack(alignment: .leading) { HStack { Text(String(item.id)) Text(item.name) } .padding() Divider() } } } } .toolbar { ToolbarItem(placement: .navigationBarTrailing) { Button(action: { // Nothing }) { Image(systemName: "plus.circle") .imageScale(.large) .foregroundColor(.red) } } } .navigationTitle("Items") } .blur(radius: isLocked ? 20 : 0) // Without blur, there is no overlapping issue. if isLocked { Button(action: { isLocked.toggle() }) { Text("Unlock") } } } } } If .blur is removed or the radius value is 0 to 0, there is no overlapping issue. Does anyone know a workaround? Thanks in advance. Best, Neil
0
0
375
Sep ’21
RAID1 disk became uninitialized on macOS after using with iPadOS
Dear Apple, I am currently experiencing a major problem. I have 5TB data in my RAID1 external drive (2 disks setup with APFS). I plugged this RAID1 into my iPad Pro using USB-C. The drive was successfully detected by iPadOS (14) and it works. However, after that, my macOS (Catalina) can no longer detect my drive. Both disks became uninitialized and could not be mounted. The data isn't lost, but only iOS can read my drive. I assume that iOS maybe changed some metadata or flags of my drive. Would it be possible to manipulate and restore the original metadata and make it recognizable again by macOS? Without data loss of course. Thanks in advance for any help you're able to provide. Best, Neil ps: I currently using a USB-C dock to transfer all my data to another no-raid hard drive, which works on both macOS and iPadOS. This method is not optimal, because first it may take 2-3 days for 5TB of data, and finally iPadOS's Files App is not that reliable, sometimes it crashes and iPad reboots by itself, which may lead to data corruption.
0
0
470
Oct ’20
[Guideline Question] Demo Account with MFA
Dear Apple, Our user login system is protected by a mandatory multi-factor authentication mechanism. Ideally, users will have to install our companion authenticator app in order to complete the login process in our main app. My question is, Will Apple reject an app that can only be used together with a separate companion app? If yes, we are going to implement an alternative, for instance, a digital security code card that we provide to you together with a demo account. Thanks in advance for any help you are able to provide. Best, Cedric
0
0
400
Sep ’20
Does URLSession check the whole certificate chain?
Hello,URLSession does not estabilish the connection, if the certificate(s) of the endpoint is(are) invalid (for example, revoked). My question is ...Does URLSession check the whole certificate chain or just the leaf certificate?Illustration: ----Certificate Leaf (Valid)Certificate Intermediate (Valid)Certificate Root (Valid)Connection established--------Certificate Leaf (Revoked or Expired))Certificate Intermediate (Valid)Certificate Root (Valid)Connection refused--------Certificate Leaf (Valid)Certificate Intermediate (Revoked or Expired)Certificate Root (Valid)Will the connection be refused?----It might be a strange question, becuase it is obvious that the connection will be refused.However, my team wants to prove or see this behavior. If not, they are not conviced. This is the most difficult part.We don't know how to deploy (or where to find) a website with the intermediate certificate revoked or expired, hence we can't see it.We don't know either where to find a documentation or code, hence we can't prove it.Thanks in advance.Best,Neil
4
0
604
Apr ’20
Question about Data Protection class keys
In the official platform security guide, there is the following paragraph about the data protection class "Complete Protection".(NSFileProtectionComplete): The class key is protected with a key derived from the user passcode and the device UID. Shortly after the user locks a device (10 seconds, if the Require Password setting is Immediately), the decrypted class key is discarded, rendering all data in this class inaccessible until the user enters the passcode again or unlocks the device using Touch ID or Face ID.My question is, by "discarded", you mean this decrypted class key is wiped from the memory, or the key iteself is erased and the system generates a new key?Thanks in advance.
2
0
513
Dec ’19