Migrating away from from SMJobBless

I have a swift app which uses SMJobBless with kSMDomainSystemLaunchd to install a privileged helper tool which performs some actions which require root. My app talks to it over XPC using NSXPCConnection. I embed the helper tool under Contents/Library/LaunchServices

When building my app under macOS 13.2.1 with Xcode 14.2, installing the helper tool with SMJobBless no longer works. A copy of the app built on earlier macOS / Xcode does work fine.

  1. Can I use SMAppService.agent() ? The helper does not need to run when the user logs out. It only performs some actions as root when invoked over XPC and can exit afterwards.
  2. Is there some workaround to make SMJobBless work as before?
  3. If I use SMAppService.agent, where do I put the plist file?
  4. In which directory should I embed the tool executable if I use an agent?
  5. How should the plist file look like for a XPC launch agent?
  6. Can I have a working example xcode project which uses SMAppService.agent() to embed a privileged helper?
Up vote post of rrva Down vote post of rrva
878 views
Posted by
rrva
Reply
Add a Comment

Replies

When building my app under macOS 13.2.1 with Xcode 14.2, installing the helper tool with SMJobBless no longer works.

That shouldn’t be the case. SMJobBless should still work as well as it always has, and that matches with my experience.

Can I use SMAppService.agent(…)? The helper does not need to run when the user logs out. It only performs some actions as root when invoked over XPC and can exit afterwards.

No. An agent runs with the current user’s privileges. To run as root you need a daemon.

Is there some workaround to make SMJobBless work as before?

As I said, it should work just fine. It’s hard to say exactly what’s gone wrong without a more in-depth analysis of your issue. Let’s start with something simple: If you take your Xcode 14-built app and run it on macOS 12, does it work there? That’ll tell you whether the problem is with macOS or with the way that your app is getting built by Xcode 14.

If I use SMAppService.agent(…), where do I put the plist file?

See the docs. Of course you won’t be able to use an agent so actually you need to see these docs (-:

In which directory should I embed the tool executable if I use an agent?

Standard practice is to use the BundleProgram property in your launchd property list and thus you can place the executable anywhere in your bundle. Similar for a daemon. This is great because you don’t need a new tool; you can continue using the one you use for SMJobBless.

See the launchd.plist man page for details.

How should the plist file look like for a XPC launch agent?

Ditto.

Can I have a working example xcode project which uses SMAppService.agent(…) to embed a privileged helper?

No, because that’s not possible. However, you can find an explanation of how to set up an agent here. I’m confident that you’ll have no problems tweaking that to install a daemon.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

The reason for Xcode 14.2 not producing a working build wrt SMJobBless was that the CN in the imported Developer certificate had somehow changed. It contained the same developer id, but instead of my email address which had been part of the certificate CN, now it contained my real name instead. When I re-ran SMJobBlessUtil.py and changed the SMAuthorizedClients requirement, all worked. Had to use this version: https://gist.github.com/mikeyh/89a1e2ecc6849ff6056b7391c5216799

Thanks for the advice on how to migrate, I might work on that later. For now, I will keep SMJobBless for a while.

Posted by
rrva
Up vote reply of rrva Down vote reply of rrva
Add a Comment