Has something security-related changed with XPC launching?

I'm seeing an XPC-related problem with my app.


The symptoms are pretty similar to this github thread, and I suspect that it is security/code-signing related in some way.


I have a Catalyst-based app. It uses a framework which embeds a plugin. The plugin bridges over to AppKit land and depends on (and embeds) the Sparkle framework. Yes, I know... but it works, or it did.


What I'm seeing now is that Sparkle is working fine, right up until the point where it attempts to launch an xpc service to run the installer. At that point it fails with the errro "The remote port connection was invalidated from the updater". This comes from Sparkle, and is generated by the invalidation handler of the xpc service.


Obviously I don't expect people to debug Sparkle problems here, but the weird thing is that this code used to work fine, and I don't believe that I've changed anything.


I am seeing it failing now if I build the app. I am also seeing it fail in archived versions of the app which were built weeks or months ago, and which used to work. I think I've also witnessed another app failing in a similar way on my machine, though I can't swear to that.


It is making me wonder if there's been a subtle change to security code in a recent OS update which might have triggered this failure.


I'm also finding it quite difficult to trace the exact source of failure, so would appreciate any tips on getting extra logging out of the XPC launching system. Trying to find anything useful in Console is pretty difficult, what with the sheer amount of other stuff flying past.

Replies

I should probably add that I am re-signing everything in a script phase, using `codesign --verbose --force --deep --options runtime --sign "$IDENTITY"...`


This includes the outer framework, the plugin inside it, the Sparkle framework inside that, and the three Sparkle xpcs (which live inside the main app bundle, in the usual place).


Also, that Notarizing the app is working.

Additional weirdness.


If I run from Xcode, I don't even get the XPC error reported, and the XPC processes don't show up in Xcode at all. Two of the three do show up in Activity Monitor.


https://www.dropbox.com/s/n666y15y9jwp3jq/Screenshot%202020-05-18%20at%2015.59.05.png?dl=0


If I run the same build manually (by double-clicking in the Finder), the connection XPC does seem to have launched, and presumably it's that one I'm getting the error back from.


https://www.dropbox.com/s/bcsxddrbnwnzy7j/Screenshot%202020-05-18%20at%2015.51.50.png?dl=0

First up, don’t use

--deep
. See
--deep
Considered Harmful for an explanation as to why.

Next, if you run your program on an older system (specifically, 10.15.3 or earlier), does it work? We added a some important hardening to 10.15.4 and it’s possible that you’re tripping over that.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks Quinn.


I will change my signing script to remove `--deep`. The script does actually recurse anyway, so the `--deep` was part belt-and-braces, and part legacy.


I don't have access to a 10.15.3 system at the moment, but a hardening change between .3 and .4 was my number one suspicion, so it's good to hear that it's at least a possibility.

I don't have access to a 10.15.3 system

I strongly recommend that you set up a VM for testing this sort of thing. It has a couple of key benefits:

  • You take snapshots of important releases and easily switch between them. For example, 10.14.5 introduced notarisation, so you want a snapshot of 10.14.4 and another of 10.14.5. And likewise for 10.15.3 and 10.15.4.

  • By reverting to a snapshot you’re always testing on a ‘clean’ machine. macOS’s trusted execution system caches a bunch of info, which means that tests on development machines can yield inaccurate results.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
I have Parallels, and managed to find an installer that I'd archived for Catalina 10.15.3, so now have a clean 10.15.3 vm.

It appears that the same problem is occurring there, which is interesting and suggests that it wasn't a recent change to the system that caused it.

I am struggling to find a place to download an earlier 10.15.x installer. The downloads page of the developer site seems to only have the latest installer. I can find combo updater for 10.15.1 and 10.15.2, but I presume that they run on top of an existing install?

I tried softwareupdate --fetch-full-installer --full-installer-version 10.15.1, but that doesn't seem to want to play ball. Is there an official location from which to obtain previous system installers?

Is there an official location from which to obtain previous system installers?

I’m not aware of such a mechanism. I always archive away the first GM Install macOS Whatever app so that I can use that, and the various combo updates, to get the specific OS release I want. If you haven’t done that, perhaps you could ask one of your local Mac developer pals?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"