My MacOS application has a webview and I've been subclassing WKScriptMessageHandler to handle several messages received from the javascript code. For a new feature I would like to save user's password in the Keychain, to do so I need to send the password from the Javascript to the Swift codebase. The javascript code would be something like this: window.webkit.messageHandlers.loginData.postMessage({username: 'john', password: 'p@ss!123'}) Before implementing this approach I would like to know if there are any security vulnerabilities that I should know about. The sensitive data is being sent from the Javascript to the Swift code, so I wonder if it would be possible for someone to intercept it or getting the sensitive data somehow.

My mac application offers support for versions 10.15 or higher, therefore I'm adding some logs to the app to get the OS version when the app launches. But, besides getting the major and minor version numbers, I wonder if it would be relevant for troubleshooting to log the release name as well, such as Catalina, Big Sur, Monterey, etc. So my question is: In order to investigate bug causes, is it important to know the OS release name? Or having just the OS version number is informative enough?

I'm trying to upload my MacOS app to Appstore via command line, and after solving some signing and certificates issues, I'm a bit stuck on package validation. After exporting the archive to a .pkg file, I run the following command: xcrun altool --validate-app -f ${filename}.pkg -t macOS -u $username -p $password --output-format json And then I get a message with this feedback: Could not find the main bundle or the Info.plist is missing a CFBundleIdentifier in ‘MyApp.pkg’. The problem is my Info.plist looks valid, and it does have a CFBundleIdentifier key. Besides that, uploading to Appstore through Xcode organizer works fine, so I don't really know what I'm missing here. So, I have the following doubts: Am I in the right direction to upload the app to the store via command line? Do I really needs this --validate-app step? Is it correct to try to validate a pkg file? Please let me know if there is more information I could give. Any help would be appreciated.

My app loads a webview using WKWebView class, so it uses safari to render the web content. However, the content is quite complex and Chrome does perform considerably better than Safari. So i wonder if would be possible to use Chrome engine in WKWebview, instead of Safari.

Since my first deploy I've been uploading my app to Appstore using XCode user interface, and everything works as expected. However, I would like to start uploading the app via command line, and when I upload the app via altool (xcrun altool --upload-app ${appname}.pkg) I get a feedback from Apple saying a provisioning profile was not selected. Is there a way to explicitly pick a Provisioning Profile via command line? Maybe as an argument or something like that.

I saw that I can archive my app and export its .app in a local folder on my system using xcodebuild. But is there a way to distribute the app directly to customers (Developer Id option) using the xcodebuild command? So the app would be notarized and validated by Apple.