Allow specific application on XPC service side on macOS

I'm going to implement XPC service with the following security functions using C.



  • XPC client should be signed by my Apple certificate
  • XPC client should have specific bundle identifier(i.e. com.example.app)


How can I implement those specific functions? Is there any API to implement them?

Accepted Reply

You should read this post, which has a detailed explanation of how to approach this issue.

Note That post assumes you’re using

NSXPCConnection
, which is something I recommend in general. If you use the low-level XPC API, you’ll have to map from high-level constructs to low-level constructs. For example, the
processIdentifier
property maps to the
xpc_connection_get_pid
function. If you have any questions about that mapping, let me know.

Finally, you wrote:

XPC client should have specific bundle identifier

It’s best to avoid the bundle identifier here and look at the code signing identifier or, better yet, test a code signing requirement that includes the identifier. The code signing identifier is canonical way to identify code. Normally it’s aligned with the bundle identifier but that’s not guaranteed.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.

Replies

You should read this post, which has a detailed explanation of how to approach this issue.

Note That post assumes you’re using

NSXPCConnection
, which is something I recommend in general. If you use the low-level XPC API, you’ll have to map from high-level constructs to low-level constructs. For example, the
processIdentifier
property maps to the
xpc_connection_get_pid
function. If you have any questions about that mapping, let me know.

Finally, you wrote:

XPC client should have specific bundle identifier

It’s best to avoid the bundle identifier here and look at the code signing identifier or, better yet, test a code signing requirement that includes the identifier. The code signing identifier is canonical way to identify code. Normally it’s aligned with the bundle identifier but that’s not guaranteed.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.

Hello, @eskimo,

Is it possible to get code signing identifier using C?

Is it possible to get code signing identifier using C?

Yes. You’ll find the code signing API in the Security framework, which is a C framework.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.

Hello, @Eskimo,


I'm going to integrate my backend library and XPC service.


So, when starting main program, it will initialize my backend library, create XPC service and call library functions by commands from UI side(i.e. XPC client).

The XPC service program is running as launchd daemon mode.


However, when I'm going to unload this daemon using command `launctl unload`, how I can finalize my library module?


For example:


int main()

{

// init my library

myLibray->init();


// init XPC service

myXPCservice->init();


dispatch_main();

}


I didn't find the way where I need to add myLibrary->Finalize().


Thanks!

I recommend you start a new thread for this question; it’s very different from your original access control question.

Moreover, the fact that this is no longer about access control means that putting your new thread in Core OS > Processes would be best.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.