Post

Replies

Boosts

Views

Activity

entitlement for user home dir --specific folder rw MacOS
Been scouring on this -- Having sandboxed with --options runtime --timestamp --entitlements  and the following in the entitlements.xml, while code signing <key>com.apple.security.app-sandbox</key> <true/> the app needs access to user home dir to add logs and permanently stored keys for the MacBook/user. Having added this also <key>com.apple.security.temporary-exception.files.home-relative-path.read-write</key>   <array>  <string>/.myorg/</string>  </array> Still unable to add log files or create the .myorg directory in the users' home dir, but rest of the app works.. The very first install and activation triggers some permanent keys created and stored in that dir. Unsigned app works, but the signed one with entitlements does not. No directory is created. Any other entitlements I am missing? Appreciate some pointers here. Thanks in advance.
5
0
2.4k
Nov ’20
How to test and debug gatekeeper spctl check? codesign passed
I need step by step instructions to debug why spctl command rejects -- I am on 10.15.7. Appreciate if anyone can shed some light on this with pointer/documentation? Forcing me to do something on Xcode is not what I am looking for, please. I am sure with Catalina -- new rules have formed around Gatekeeper spctl command to assess the security posture of the apps installed or developed. Now coming to our app, it gets rejected by spctl -- unknown, but codesign passes the app. Need a systematic troubleshooting guide or instruction set. Thanks in advance, sh-3.2 spctl -a -t exec --ignore-cache  -vv /Applications/MyApp.app ==== /Applications/MyApp.app: rejected origin=3rd Party Mac Developer Application: MyOrg (MYORGDEVID) ===== sh-3.2 codesign -dvv --strict /Applications/MyApp.app ===== Executable=/Applications/MyApp.app/Contents/MacOS/MyApp Identifier=com.MyApp.SubID Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=1285 flags=0x10000(runtime) hashes=31+5 location=embedded Signature size=9134 Authority=3rd Party Mac Developer Application: MyOrg (MYORGDEVID) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=Nov 2, 2020 at .... PM Info.plist entries=15 TeamIdentifier=MYORGDEVID Runtime Version=10.14.0 Sealed Resources version=2 rules=13 files=309 Internal requirements count=1 size=212 ==== sh-3.2 codesign -vv --strict  /Applications/MyApp.app === /Applications/MyApp.app: valid on disk /Applications/MyApp.app: satisfies its Designated Requirement  === spctl --raw -a -t exec -vv /Applications/MyApp.app ===== /Applications/MyApp.app: rejected <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ".../> <plist version="1.0"> <dict>             <key>assessment:authority</key>             <dict>                         <key>assessment:authority:flags</key>                         <integer>0</integer>             </dict>             <key>assessment:originator</key>             <string>3rd Party Mac Developer Application: MyOrg  (MYORGDEVID)</string>             <key>assessment:remote</key>             <true/>             <key>assessment:verdict</key>             <false/> </dict> </plist> origin=3rd Party Mac Developer Application: MyOrg  (MYORGDEVID) ===========
8
0
1.8k
Nov ’20
How to debug gatekeeper reject, but passing codesign verification
I need step by step instructions to debug why spctl command rejects -- I am on 10.15.7. Appreciate if anyone can shed some light on this with pointer/documentation? Forcing me to do something on Xcode is not what I am looking for, please. I am sure with Catalina -- new rules have formed around Gatekeeper spctl command to assess the security posture of the apps installed or developed. No one wants malware, including hardworking developers :) Now coming to our app, it gets rejected by spctl -- unknown developer, but codesign passes the app. sh-3.2spctl -a -t exec --ignore-cache  -vv /Applications/MyApp.app ==== /Applications/MyApp.app: rejected origin=3rd Party Mac Developer Application: MyOrg (MYORGDEVID) ===== sh-3.2codesign -dvv --strict /Applications/MyApp.app ===== Executable=/Applications/MyApp.app/Contents/MacOS/MyApp Identifier=com.MyApp.SubID Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=1285 flags=0x10000(runtime) hashes=31+5 location=embedded Signature size=9134 Authority=3rd Party Mac Developer Application: MyOrg (MYORGDEVID) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=Nov 2, 2020 at .... PM Info.plist entries=15 TeamIdentifier=MYORGDEVID Runtime Version=10.14.0 Sealed Resources version=2 rules=13 files=309 Internal requirements count=1 size=212 ==== sh-3.2codesign -vv --strict  /Applications/MyApp.app === /Applications/MyApp.app: valid on disk /Applications/MyApp.app: satisfies its Designated Requirement ===
1
0
987
Nov ’20
productbuild --product preinstall-requirements. MacOs
What should be the key used in the preinstall-requirements for a package built by prodcutbuild? Keep getting this message no matter what I try (not using xcode) from AppStore via Transporter. "ERROR ITMS-90264: "The lowest minimum system version [none] in the Product Definition Property List must equal the 'LSMinimumSystemVersion' value [10.9.0] in the 'Info.plist'."" Had tried the following, but appstore keeps complaining with same message. Also transporter verifies, but when I click deliver, the delivery fails with above message ============= <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" --appleurl redacted > <plist version="1.0"> <dict> <key>os</key> <array> <string>10.9.0</string> </array> </dict> </plist> =============== used also LSMinimumSystemVersion in place of os. By the way, how do I verify that the product requirements list is captured in the package? The command I use is: productbuild \-distribution ./distribution.xml \ -resources ~/Desktop/resources \ -identifier com.myorg.uniqueid \ -version ${VERSION} \ -sign "${IDENTITY}" \ -product ~/Desktop/product_definition.plist outputFinal.pkg man page for productbuild (10.15.7 catalina) says the following ===-product requirements-plist When synthesizing a distribution, use the requirements from requirements-plist. See PRE-INSTALL REQUIREMENTS PROPERTY LIST (this was formerly called the "product definition property list"). PRE-INSTALL REQUIREMENTS PROPERTY LIST When you use productbuild to synthesize a distribution (e.g. with the-component option), you can specify pre-install requirements in a separate property list file, specified with the --product option. At the top level, this property list is a dictionary, with the following keys: Key&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9; Description os&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;Minimum allowable OS versions (array of &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;strings) arch&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;Supported architectures (array of strings) ram&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9; Minimum required RAM in gigabytes (real) bundle&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;Specific bundles that must exist on the system &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;(array &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;of &#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;dictionaries) all-bundles Are all of the bundles specified required? (Boolean) gl-renderer Required OpenGL capabilities (string) cl-device Required OpenCL capabilities (string) single-graphics-device Must OpenGL and OpenCL requirements be met by a single device? (Boolean) home Should installation be allowed in user home directory? (Boolean) o The os key defines one or more minimum system versions. You might have multiple versions if a certain OS update is required for a given major OS version. For example, if you specify 10.5.4 and 10.6.2, Leopard would be allowed from 10.5.4 up, and Snow Leopard from 10.6.2 up, but 10.6 and 10.6.1 would be rejected. There is no upper-bound associated with the highest value given.&#9;&#9; NOTE: Some of the other requirements imply their own minimum system versions, which may override the values set here. This is noted below where applicable. o The arch key specifies the supported architectures, e.g. i386 and/or x8664. Note that i386 allows both 32- and 64-bit systems, but if you specify only x8664, a 64-bit system is required. ===== Any pointers -- gratefully appreciated. Thanks!!
0
1
2.4k
Nov ’20
decrypt short msg with RSA public key
Ios and swift SMEs, appreciate if I can get some answers on the followingHave very short msg encrypted by a pvt rsa key (pkcs1, in java)Need to decrypt in ios using public key How can I achieve that? [Pls, 'am fairly familiar with cons and pros of using pub key to decrypt, for my use case pub key doesnt fly over internet; If I chose sig based, I need to do a time stamp etc check, which adds overhead; my msgs to encrypt are _very_ short &lt;&lt; chars]Thanks in anticipation
6
0
4.7k
Jun ’20