Register Token Extension with SecurityAgent

https://developer.apple.com/documentation/cryptotokenkit/authenticating_users_with_a_cryptographic_token states that a token extension needs to be registered by executing its hosting app as the _securityagent user. This unfortunately does not work for me: Launching my hosting app as described in the documentation does not register the token extension. Also I get the following output from the hosting app when executed as _securityagent:


"*Forcing* IMK Distributed Objects (not XPC) in App = myHostingApp, euid=92"


Launching my hosting app as the current, "normal" user causes the token extension to be registered just fine and except smart card logon every functionality you would expect from a token (pairing with user, unlocking system keychain etc) is available and functional.


Did somebody else encounter this issue as well?

Accepted Reply

To provide closure to this: It is possible to register the CryptoTokenKit driver as _securityagent by running "pluginkit -a" in the appropriate context using launchctl. However I have observed that after some years the method described in the documentation suddenly started to work as well, so using launchctl probably isn't necessary anymore.

Replies

I did encounter an eror when executing the host app with sudo -u _securityagent command. It came up with Permission denied.

In some cases i got it working but after restarting the machine, the system does not allow me to logon using smartcard.

Did you get any solution for this issue? I am also facing this issue.

To provide closure to this: It is possible to register the CryptoTokenKit driver as _securityagent by running "pluginkit -a" in the appropriate context using launchctl. However I have observed that after some years the method described in the documentation suddenly started to work as well, so using launchctl probably isn't necessary anymore.

Can you provide an example command using PlugInKit -a with _securityagent user and launchctl?

your response to me doesn’t provide the closure that I’m looking for.

currently the host app approach using _securityagent user ends with a Trap. I will try to find the reason why / error soon.

currently the host app approach using _securityagent user ends with a trap

[FYI, this is the container app, not the host app. *grumble* I’ve already filed a bug against the docs about this terminological mixup (r. 86843253).]

One way to avoid weird problems like this is to pass a command-line argument to your container app and then have its main function check for that argument and exit promptly, without running the whole app startup sequence. Hence this quote in the docs:

The hosting app may in fact do nothing more than exit cleanly, but the act of running it has the side effect of registering its app extension with the system.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

  • But ideally we need the host app to be able to talk to the app extension via the TKTokenConfig. Apps outside of that direct relationship are not allowed unless you spoof the app build ID which less than ideal.

    I have yet to see the suggested _securityagent trick work properly without ending in a trap / error and have never seen it work at the loginWindow without a launchagent running the host app which runs as root there btw not as the _securityagent.

Add a Comment