Hi,
Is there a way to restrict calls to a launch daemon? Can I allow only my app to use my daemon?
cheers, sivan
Restrict XPC calls to a launch daemon
Yes. See Validating Signature Of XPC Process.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Thanks for your answer. I have posted a question regarding setCodeSigningRequirement, in the post that you have mentioned above.
Hi, I am using NSXPCConnection with setCodeSigningRequirement.
I tried different requirements. Simplest = "anchor apple generic". This one works. Requirement1 = "anchor apple generic and IssuerIsDeveloperID and LeafIsDeveloperIDApp". In this case my app can not connect with my daemon. Requirement2 = "anchor apple generic and certificate leaf[subject.OU] = <My Team Id>". In this case too, my app can not connect with my daemon.
My app and daemon are signed with the same developer id cert and same team id. What am I missing here?
Thanks, Sivan
I put a bunch of info, and links to other documents, in TN3127 Inside Code Signing: Requirements. I suggest you start there.
You can test test requirements using codesign. For example:
% codesign -v -v -R "=anchor apple" /System/Applications/TextEdit.app
…/TextEdit.app: valid on disk
…/TextEdit.app: satisfies its Designated Requirement
…/TextEdit.app: explicit requirement satisfied
% codesign -v -v -R "=anchor apple" "/Applications/Pacifist.app"
…/Pacifist.app: valid on disk
…/Pacifist.app: satisfies its Designated Requirement
test-requirement: code failed to satisfy specified code requirement(s)
You can also compile them using csreq, which is a great way check just the syntax.
Hopefully the above will speed up your efforts to craft the correct requirement.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
thanks!