private key generation issue

Privacy & Security General
Lex_A OP
Created May ’20
Replies 1
Boosts 0
Views 638
Participants 2

As a part of our macOS solution, we have an auxiliary launch agent that generates a private key with a custom access control attribute (kSecAttrAccessControl) to request user presence, using SecAccessControlCreateWithFlags (or using Security Enclave). Generation fails with 

errSecMissingEntitlement
without Keychain Access Groups Entitlement. To make it working, we packed the daemon into an app like structure and added the entitlement, but required for a provision profile. That works well for development, but how are we supposed to distribute our daemon now? There are only two types of distribution provision profiles: App Store Distribution Profile and Ad Hoc Distribution profile. Both doesn't suit for our case. The first one is for applications, but we have a daemon, I don't think Apple will allow auxilary daemons or agents there, the second one is for testers. That looks really ridiculous, the code works, but we cannot distribute it.

Are there any ways to generate the keys with access control, preferably with Security Enclave, and distribute the code for our case?


We used the guide: https://forums.developer.apple.com/message/408009#408009


With App Store Distribution profile the agent crashes on the client's devices with:

Exception Type: EXC_CRASH (Code Signature Invalid)

Exception Codes: 0x0000000000000000, 0x0000000000000000

Exception Note: EXC_CORPSE_NOTIFY


But it's still unclear how to distribute our launch agent as a part of our solution, since we cannot user Apple Store?

Replies  1
Boosts  0
Views  638
Participants  2
DTS Engineer OP
Apple
May ’20

If you’re creating a 

launchd
agent then, necessarily, you’re not shipping via the Mac App Store, which means that you must sign with your Developer ID Application code signing identity. Developer ID apps don’t always need a provisioning profile but, if you’re in a situation where you need one, and accessing the iOS-style keychain is exactly that, you can create a Developer ID profile in the usual way. In Certificates, Identifiers & Profiles, start creating a profile and scroll down to the bottom of the Distribution section to find the Developer ID option.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
private key generation issue
First post date Last post date
 
 
Q