Post not yet marked as solved
Hi,
I'm looking for best practices for unlocking TouchID in a Mac app when using canEvaluatePolicy.
Documentation says:
Biometric authentication will get locked after 5 unsuccessful attempts. After that, users have to unlock it by entering their account password. The password can be entered either at login window or in the preference sheets or even in application by the means of LAPolicyDeviceOwnerAuthentication. The system unlock is preferred user experience because we generaly don't want users to enter their account password at application's request.
So if we shouldn't manage Mac's password in the app, how to invite user to unlock ?
Explaining he must lock/unlock the session or open any preference panel isn't a fluent experience and would definitely seems weird.
I tried adding an 'Unlock' button in an alert and locking the screen automatically but this raises extras complexities:
pmset can put the screen to sleep but won't lock in case of grace period
sending an cmd-ctl-Q AppleEvent to System Events could fit but it depends on user acceptance for AEs and fails when System Events isn't running.
Any ideas ?
Post not yet marked as solved
Hi,
I'm looking for feedback regarding SCNetworkReachability under macOS Sonoma.
It seems that since beta 3 the notifications behaviour changed.
In a LaunchAgent I'm using SCNetworkReachabilityCreateWithName + SCNetworkReachabilitySetCallback + SCNetworkReachabilityScheduleWithRunLoop and wait for callbacks looking at the kSCNetworkReachabilityFlagsReachable flag. This is running fine under macOS 12.x, 13.x and 14.0 for more than a year.
If I log all callback entries I observe unexpected notifications as if the looked host became unreachable for very small amount of time (ms). The host is flagged as unreachable then few ms later reachable again then unreachable again.
Fast switching is fine, I can accept that the service is unreachable even for 1s but the probleme is the latest status do not reflect actual reachability of the service.
This is in a corporate network with the complexity of using a proxy.pac.
Does anybody noticed something similar ?
I filled a Feedback FB13442134 in case it could be a regression of 14.2
Post not yet marked as solved
Hi,
I'm looking for a way to allow two TeamID in a PPPC predicate. When an app move from one company to another (different TeamIDs) PPPC configuration profiles need to cover the transition period.
However those profiles do not allow duplicated path-based entries. Then the binary /usr/bin/local/sample can have only one PPPC payload for full disk access authorizations.
To solve this problem I'd like to use an OR operator in the predicate, such as:
identifier Sample and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and (certificate leaf[subject.OU] = TEAMID001 or certificate leaf[subject.OU] = TEAMID002)
But I cannot find any documented information about the supported syntax.
Does anybody already did this before ?
Post not yet marked as solved
I try to use LAContext.evaluateAccessControl for LAAccessControlOperationUseKeyDecrypt operations using a Secure Enclave-based private key.
The keys are created using SecKeyGeneratePair (ECDH + SETokenID). Access Control is then defined using kSecAccessControlBiometryAny | kSecAccessControlAnd | kSecAccessControlPrivateKeyUsage flags.
By the time LAContext.evaluateAccessControl is called, SecAccessControlCreateWithFlags is used with flags kSecAccessControlBiometryAny | kSecAccessControlPrivateKeyUsage.
Evaluation will fail with ACL error: Domain=com.apple.LocalAuthentication Code=-1009 "ACL operation is not allowed: 'od'" UserInfo={NSDebugDescription=ACL operation is not allowed: 'od’}
The same process is fine for signature operations. I don't understand what 'od' stands for. If ACLs are the same for key creations and key usage, shouldn't it prompt TouchID and allow the operation ?
Post not yet marked as solved
Hi,
I wonder if someone succeeded in customising encryption algorithm used by CMSEncoder.
Something similar to CMSEncoderSetSignerAlgorithm but for ContentEncryptionAlgorithm of CMS message. By default macOS uses des-EDE3-CBC and I'd like to use aes256-CBC.
Any feedback is welcome.
Post not yet marked as solved
Hi,
I'm trying to debug Finder extensions (NSExtensionPointIdentifier com.apple.ui-services).
If I run the debug build of container app the extensions won't activate in the Finder and won't show in System Preferences. Instead they show accordingly when I copy the app on the Desktop for example. I assume this is because Xcode build folders are not considered by the PluginKit framework.
Then I used the command:
pluginkit -a /path/to/xcode/data/Plugin1.appex
pluginkit -e use -i com.company.Plugin1
This allows all plugins (I have 4) to show in Finder 'Quick Actions' menu when I run Plugin1.appex in debug mode.
Steps used:
Select Appex target
Run and select the container App when prompted
The Finder Actions menu gets populated
In Xcode Appex process is waiting
Attach to running container from the Debug menu
Expected result:
I should be able to break in the code when selecting the action in Finder
Actual result:
As soon as I attach to the container the Finder menu is no more populated with my extensions
I assume I misused the PluginKit command but I cannot find any documentation on this topic. Any help is welcomed.
Post not yet marked as solved
Hi,
I’m looking for customizing the icon displayed in Actions contextual menu in Finder or in Extensions settings in System Preferences.
I use NSExtensionServiceFinderPreviewIconName in extension’s plist. If I set NSActionTemplate or any NSxxx icon name I see the icon sized correctly in popup menu but not templated (wrong color in dark mode).In System Preferences I don’t get any icon.
If I use any SF Symbol it fails and fallback to bundle’s icon.
If I use a templated asset I have a size issue. Finder Popup expect 20 points icon while System Preferences expect 24 points.
If I use vectors Finder Popup will size accordingly but not System Preferences.
I wanted to look at macOS pre-installed Actions (crop video, resize image) but I could not find the hosting bundle.
Any idea or suggestion ?
Post not yet marked as solved
Hi,
I face a strange issue with CMSDecoder.
When I encrypt + sign a message with CMSEncodeContent and then try to decode the same CFData using CMSDecoderUpdateMessage/CMSDecoderFinalizeMessage the library crashes.
If I only encrypt the data the exception disappear but I cannot get back the content (nil).
If I only sign the data I can get the original message using CMSDecoderCopyContent.
Does anybody already faced this issue ? Could it be related to my identities / certificates ?
Reproduced with macOS 12.5.1. Sample code bellow.
Hi,
I'm trying to detect a captive session from NEFilterDataProvider to make sure the portal traffic is allowed accordingly.
Initial idea was to look at audit tokens to allow any traffic from Captive Portal Assistant.
But most of the traffic is managed from WebKit Networking (I assume CPA uses a WebView). Allowing any WebKit traffic is a major issue for my firewall use-case.
An alternative could be possible using NEHotspotHelper but this API is not supported on Mac.
Portal DHCP advertisement could also help but sandboxed NEFilterDataProvider doesn't have access to DCHP context. https://developer.apple.com/news/?id=q78sq5rv
I've seen many threads related to those topics for iOS but none for Macs.
Does anybody know a Mac API that could be of any help ?
Hi,
I'm writing an XPC Service hosted in a container app.
This service is expected to trigger IPC when some URL of interest become reachable. I'm using SCNetworkReachability (Reachability class provided as sample code from Apple).
The reachability notification runs fine when running from the container app.
However the XPC Service is never triggered of any network change.
I'm suspecting something related to RunLoop or RunLoopMode (XPCListener is instantiated with serviceListener) but cannot find any fix.
I disabled sandboxing without success (and anyway it runs fine with sandboxed container + network client entitlement).
Any suggestion ?
Hi,
I’m writing a network extension for macOS using the following pattern:
Network extension with ID com.company.app.extension
XPC Service with ID com.company.app.controller
Container app with ID com.company.app.container
First 2 are contained in the 3rd
All of 3 are sandboxed & share the same com.company.app AppGroup.
XPC Service uses network (client) entitlement to fetch settings & control the extension.
The app need to support managed preferences as well.
I read many posts in this forum, but I’m confused about using NSUserDefaults accross those processes.
Pb 1 - standardsUserDefaults vs initWithSuiteName
I noticed that to observe defaults using KVO I need to use initWithSuiteName:@"com.company.app" (or addSuiteName).
Observing standardsUserDefaults alone will never trigger any event. This is the first confusion because my understanding was that KVO observation wasn’t restrincted to suites.
Pb 2 - AppGroup ‘group.’ prefix
If I observe a suite named ‘com.company.app’ from the container app or XPC Service I get error : [User Defaults] Couldn't read values in CFPrefsManagedSource<> (Domain: com.company.app, User: kCFPreferencesAnyUser, ByHost: Yes, Container: (null), Contents Need Refresh: No): accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox access
This can be fixed using ‘group.com.company.app’ suite (both in the code and AppGroup entitlement). However if I use the same AppGroup for extension it will fail loading with error code OSSystemExtensionErrorValidationFailed.
Checked the provisioning profiles, they all map to the same ID in Dev portal. Including the TeamID in the suite name will produce the same situation.
The only way to load the extension is to use AppGroup com.company.app. This again is confusing because Dev portal force the ‘group.’ prefix. I can’t figure out how to use the same suite name for all processes.
Pb 3 - Inter-process synchronisation
Based on previous conclusion the situation is both container & controller use AppGroup (TeamID).group.com.company.app and addSuiteNamed:@"group.com.company.app" for observing & updating the defaults.
Each process can observe its own defaults updates but they do not synchronize between container app and XPC Service.
This is the most frustating part. The documentation says:
NSUserDefaultsDidChangeNotification is posted whenever any user defaults changed within the current process, but is not posted when ubiquitous defaults change, or when an outside process changes defaults. Using key-value observing to register observers for the specific keys of interest will inform you of all updates, regardless of where they're from.
Did I missed some steps ?
Hi,I'm writing a CryptoTokenKit extension (simular to sample available in CTK documentation).In this extension I'm trying to use SecKeyCreateSignature or SecKeyCreateDecryptedData using private keys I get using SecItemCopyMatching.However the crypto operations fail with errors -25308 :CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION (errKCInteractionNotAllowed / errSecInteractionNotAllowed / Interaction is not allowed with the Security Server)The same code runs fine from the host App.Are there Sec API limitations in CTK ?I've seen some posts in the forum about application whitelising using provisioning profiles but I don't understand which keys should to be used.Here is one of the post I refer to : https://forums.developer.apple.com/thread/128767Any help is welcome,Regards,Jerome T
Post not yet marked as solved
Hi,
I cannot find potential attributes to enable 'User Presence' when accessing passwords stored with 'add-generic-password'.
The idea is to make sure the user is prompted with session's password (or TouchID) each time a generic password is fetched from Keychain. This can be done using Security.framework but I'm looking for an equivalent in a shell script.
Has anybody done such a thing ?
Regards,
Jerome T
Jtasoftware.