Posts

Post not yet marked as solved
2 Replies
4.2k Views
Hi In order to support continuous integration, I've made a builder image with macOS and Xcode installed and I'd like to automate the process of building my workspace targets. So I'm using the following command /usr/bin/xcodebuild clean build -workspace ./myproj.xcworkspace -configuration Release -scheme myScheme In my development machine I'm setting derived data location as relative to project directory from Xcode UI, so the build outputs are written under: my project path/DerivedData/myProj/Build/Products/Debug However, in the build image I cannot set the derived data path since it also serves other projects. Therefore, I'd like to find the appropriate flag to achieve similar behaviour from the xcodebuild command. This means setting derived data location accordingly for all the targets which are being created in the build command. I've tried flags like CONFIGURATION_BUILD_DIR=./DerivedData or  -derivedDataPath ./DerivedData but without success. Any idea where am I go wrong ?
Posted
by chapo81.
Last updated
.
Post not yet marked as solved
1 Replies
2.6k Views
I set the following global environment variables to launchd derives services : sudo launchctl setenv CA_DEBUG_TRANSACTIONS 1 sudo launchctl setenv CA_ASSERT_MAIN_THREAD_TRANSACTIONS 1 And indeed I saw that reflected on SecurityAgent (of type launchAgent) : sudo ps eww 3194 	PID	 TT	STAT			TIME COMMAND 3194	 ??	Ss		 0:00.19 /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent LaunchInstanceID=00000000-0000-0000-0000-00000001873A XPC_SERVICE_NAME=com.apple.security.agent.login CA_DEBUG_TRANSACTIONS=1 CA_ASSERT_MAIN_THREAD_TRANSACTIONS=1 PATH=/usr/bin:/bin:/usr/sbin:/sbin XPC_FLAGS=19 LOGNAME=_securityagent USER=_securityagent HOME=/var/db/securityagent SHELL=/usr/bin/false TMPDIR=/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/T/ But unfortunately, his helper XPC Service doesn’t get them : sudo ps eww 3195 	PID	 TT	STAT			TIME COMMAND 3195	 ??	Ss		 0:00.53 /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/XPCServices/SecurityAgentHelper.xpc/Contents/MacOS/SecurityAgentHelper XPC_SERVICE_NAME=com.apple.SecurityAgentHelper PATH=/usr/bin:/bin:/usr/sbin:/sbin HOME=/var/db/securityagent TMPDIR=/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/T/ XPC_FLAGS=19 LOGNAME=_securityagent USER=_securityagent SHELL=/usr/bin/false Any idea how set it in the helper too even if it’s an xpc service and not an agent, since they both runs by launchd: 	 92	3194		 1	 0 11:42AM ??				 0:00.19 /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent 	 92	3195		 1	 0 11:42AM ??				 0:00.53 /System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/XPCServices/SecurityAgentHelper.xpc/Contents/MacOS/SecurityAgentHelper
Posted
by chapo81.
Last updated
.
Post not yet marked as solved
1 Replies
832 Views
Hi, I'm currently trying to build my project from command line using Jenkins automation. However, although both methods are using the same code sign parameters, the UI based signing (from Xcode) succeed and when running from xcodebuild it fails for the reason below : /usr/bin/codesign --force --sign my_cert_id --timestamp\=none /Users/bla/file.dylib and the result is : Warning: unable to build chain to self-signed root for signer "Apple Development: userBuilder (...)" /Users/bla/file.dylib: errSecInternalComponent But the same command runs successfully when being invoked from Xcode. My questions are Do the certificate+private key are taken from the keychain in both cases ? Are there are environment variables that may exist only in the Xcode mode ? thanks
Posted
by chapo81.
Last updated
.
Post marked as solved
1 Replies
1.2k Views
I'm running the following command that means to decrypt object from type CFDataRef using key object from type SecKeyRef CFDataRef encryptedCfData = 			 SecKeyCreateDecryptedData(privateKeySecKey,	 						 kSecKeyAlgorithmRSAEncryptionOAEPSHA256, 						 (__bridge CFDataRef)[NSData dataWithBytes:payloadBuff length:payloadLen], 					 &cfErr); Unfortunately, on some scenarios it fails and I get the following errors : Error Domain=NSOSStatusErrorDomain Code=-50 "RSAdecrypt wrong input (err -27)" (paramErr: error in user parameter list) UserInfo={NSDescription=RSAdecrypt wrong input (err -27)} or this one : Error Domain=NSOSStatusErrorDomain Code=-50 "rsa_priv_crypt failed, ccerr=-23" (paramErr: error in user parameter list) UserInfo {NSDescription=rsa_priv_crypt failed, ccerr=-23} I'm trying to understand their meaning, the -50 indicate the one or more of the params are invalid. But what about the inner error codes (-23 and -27) and the meaning of their related strings ("error in user parameter list" and "RSAdecrypt wrong input"). Perhaps someone already have encountered those error messages and can tell me their meaning ? Thanks for the help !
Posted
by chapo81.
Last updated
.
Post not yet marked as solved
0 Replies
488 Views
For smartcard login, my certificate contain UPN which is lowercase formatted (i.e. user123). However, in DC its capitalized (i.e. User123). The login fails with the following log (taken from log show) : SmartCard - User is not paired with any smartcard . From the logs it seems that an attempt has been made to lookup this name by opendirectoryd but it has failed since the match policy is case sensitive (or as the logs says, CaseExact.) Here's the relevant message : 2020-12-24 12:40:44.901571+0200 0x1f237&#9;&#9;Info&#9;&#9;&#9;&#9;0x14742&#9;&#9;&#9;&#9;&#9;&#9;&#9;85&#9;&#9; 0 opendirectoryd: [com.apple.opendirectoryd:session] ODQueryCreateWithNode request, NodeID: E4648A1C-B2E1-4329-B702-5CADC51B9235, RecordType(s): dsRecTypeStandard:Users, Attribute:dsAttrTypeNative:dn, MatchType: EqualTo, Equality: CaseExact, Value(s): <private>, RequestedAttributes: dsAttrTypeStandard:AuthenticationHint,dsAttrTypeNative:_guest,dsAttrTypeStandard:AuthenticationAuthority,dsAttrTypeStandard:AppleMetaNodeLocation,dsAttrTypeStandard:Rec ordType,dsAttrTypeStandard:GeneratedUID,dsAttrTypeStandard:PrimaryGroupID,dsAttrTypeStandard:RecordName,dsAttrTypeNative:original_authentication_authority, dsAttrTypeStandard:HomeDirectory,dsAttrTypeStandard:UniqueID,dsAttrTypeStandard:RealName,dsAttrTypeStandard:AppleMetaRecordName, dsAttrTypeNative:home_info,dsAttrTypeStandard:NFSHomeDirectory, Max Results: 1 Does the lookup make deliberately in case sensitive. I presume that it simply take the name from the certificate inside the smartCard, but is there an option to match with lowercase ? thanks
Posted
by chapo81.
Last updated
.
Post not yet marked as solved
1 Replies
614 Views
Hi, I'd like to load an xpcService for all active users in advance. Moreover, when new user become active, I want that a dedicated process for that user will be spawn automatically, and not wait for an xpc message. Here's my plist under /Library/LaunchAgent/: &lt;?xml version="1.0" encoding="UTF-8"?&gt; &lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt; &lt;plist version="1.0"&gt; &lt;dict&gt;         &lt;key&gt;Label&lt;/key&gt;         &lt;string&gt;com.company.service&lt;/string&gt;         &lt;key&gt;RunAtLoad&lt;/key&gt;         &lt;true/&gt;         &lt;key&gt;EnablePressuredExit&lt;/key&gt;         &lt;false/&gt;         &lt;key&gt;POSIXSpawnType&lt;/key&gt;         &lt;string&gt;Adaptive&lt;/string&gt;         &lt;key&gt;ProgramArguments&lt;/key&gt;         &lt;array&gt;         &lt;string&gt;/Applications/myApp.app/Contents/XPCServices/myXpcService.xpc/Contents/MacOS/myXpcService&lt;/string&gt;         &lt;/array&gt;         &lt;key&gt;MachServices&lt;/key&gt;         &lt;dict&gt;                 &lt;key&gt;com.company.service&lt;/key&gt;                 &lt;true/&gt;         &lt;/dict&gt; &lt;/dict&gt; &lt;/plist&gt; If I'm using launchctl load than launchd manage the processes for each user which means that the process can be invoked only once an xpc client decides it's needed to raise. Is there any way to run those processes in advance for all current users, and each additional user which becomes active ?
Posted
by chapo81.
Last updated
.
Post not yet marked as solved
1 Replies
496 Views
Hi, in loginwindow, there's an option to modify the login flow by changing the mechanisms list for authorizationRight system.login.console. I was wondering if there's any option to modify fileVault unlock mechanism to bypass password and use smartcard for example, using the same technic mentioned above. thanks !
Posted
by chapo81.
Last updated
.
Post marked as solved
2 Replies
680 Views
Hi, my computer is bound to windows LDAP server. the connection is configured to use mobile account so I'd be able to login while the LDAP is unreachable. I'd like to extract domain name for my user. which is represented by the field dsAttrTypeNative:DomainName as can be shown in the following code :     ODNode * node = [ODNode nodeWithSession:[ODSession defaultSession] type:kODNodeTypeAuthentication error:&err];     NSArray * subnodeNames = [node subnodeNamesAndReturnError:&err];     for (NSString * subnodeName in subnodeNames) {         ODNode * subnodeObject = [ODNode nodeWithSession:[ODSession defaultSession] name:subnodeName error:&err];         id subnodeDetails = [subnodeObject nodeDetailsForKeys:nil error:&err];         NSArray * domainName = subnodeDetails[@"dsAttrTypeNative:DomainName"]; when LDAP connectivity is online, I can see that this field appears in subnodeDetails and it's equal to the concatenation of 2 string separated by dot (i.e MY-CORP.mycompanyname-dev.com). but when it's offline, this field doesn't appear even though I see that the LDAP user appears by running the following command id username. is there any way to extract domain name when LDAP is unconnected ? I could do something really patchy like running odrecord and append the DC fields from dsAttrTypeStandard:AppleMetaRecordName which include the following data : 'dsAttrTypeStandard:AppleMetaRecordName': 'CN=John Smith,CN=Users,DC=my-corp,DC=mycorpname-dev,DC=com' and this will result : my-corp.mycorpname-dev.com but perhaps there's an easier builtin alternative ?
Posted
by chapo81.
Last updated
.
Post not yet marked as solved
4 Replies
664 Views
My installer load XPC service and XPC client that attempt to call remote xpc method on that service. However, the service my be loaded arbitrarily and the client may get invalid connection since the service hasn't loaded yet. So far I haven't found any way get service-load indication, so I'm calling the retry method recursively from within the connection invalidationHandler. Is this the correct approach ? is there any wait-for-service event I can wait for ? (void) callXpcWithRetry { &#9;&#9;NSXPCConnection* hubConnection = [[NSXPCConnection alloc] initWithMachServiceName:@"com.bla.myservice" options:0]; &#9;&#9;hubConnection.remoteObjectInterface = getInterface(); &#9;&#9;[hubConnection setInvalidationHandler:^{ &#9;&#9;&#9;&#9;NSLog(@"Connection to keystore hub service invalidated .. retry in 5"); &#9;&#9;&#9;&#9;sleep(5); &#9;&#9;&#9;&#9;[ServiceDelegate callXpcWithRetry]; &#9;&#9;}]; &#9;&#9; &#9;&#9;[hubConnection resume]; &#9;&#9;id<myXpcProtocol> hub = [hubConnection remoteObjectProxyWithErrorHandler:^(NSError * _Nonnull error) { &#9;&#9;}]; &#9;&#9; &#9;&#9;[hub xpcProtocolMethodForUser:NSUserName()]; }
Posted
by chapo81.
Last updated
.
Post not yet marked as solved
0 Replies
338 Views
I've inherit from NSStoryboardSegue in order to implement a custom transition between 2 VCs. @interface MyReplaceSegue : NSStoryboardSegue @end @implementation MyReplaceSegue &#9;-(void)perform { &#9;&#9;NSViewController *s = self.sourceController; &#9;&#9; NSViewController *d = self.destinationController; &#9;&#9;[s.view.window.contentViewController addChildViewController:d]; &#9;&#9; &#9;&#9;[s.view.window.contentViewController transitionFromViewController:s toViewController:d options:NSViewControllerTransitionCrossfade completionHandler:^{ &#9;&#9;&#9;&#9;[s removeFromParentViewController]; &#9;&#9;}]; } It works most of the time. However, there's one transition which bring the method transitionFromViewController to the following assertion/exception : 2020-10-05 21:55:23.643066+0300 0x26141&#9;&#9;Default&#9;&#9; 0x2b33a&#9;&#9;&#9;&#9;&#9;&#9;&#9;5098&#9; 0&#9;&#9;myProc: (Foundation) *** Assertion failure in -[NSViewController transitionFromViewController:toViewController:options:completionHandler:], /BuildRoot/Library/Caches/com.apple.xbs/Sources/AppKit/AppKit-0.109/Controllers/NSViewController.m:917 2020-10-05 21:55:23.645250+0300 0x26141&#9;&#9;Error&#9;&#9;&#9; 0x0&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;&#9;5098&#9; 0&#9;&#9;myProc: (AppKit) [com.apple.AppKit:General] We must be the parent of fromViewController I'm not sure I understand the description We must be the parent of fromViewController.. I've set the dest viewController to be child of the source viewController. Perhaps anybody encountered such an exception ? I assume it relates to the nature of the source VC but I cannot figure out how ?
Posted
by chapo81.
Last updated
.
Post not yet marked as solved
0 Replies
405 Views
When defining system proxy from systempreferences-&gt;network-&gt;proxies It keeps the credentials in login keychain which is only good for current user, and I'd like to have seamless access for all users.I want my app to be able to send http messages through proxy without providing credentials from my application which can run by many users.my application uses NSURLSession and i set connectionProxyDictionary inside NSURLSessionConfiguration to be nil, so that the system proxy settings will be taken without re-inseting the credentials.To do so, I intend to copy the proxy credentials (it kept under the category of internet password) from login to system keychain.On the first time it did work, but when I change the proxy credentials and want to copy the item again, I got popup window with the following error :An error has occurred. Unable to add an item to the current keychain. An invalid record was encountered.I'm sure this record is not invalid because it was created by the proxy settings automatically, Perhaps anybody know how to resolve this issue ?
Posted
by chapo81.
Last updated
.
Post marked as solved
1 Replies
1.9k Views
Hi, I'm using NSURLSession for http communication, and I would like to bypass global proxy configuration (under System Preferences -&gt; network -&gt; Proxies ..)First, i configure the bypass setting (not sure if it's the proper way to do so)NSDictionary *bypassProxyDict = @{ (NSString *)kCFStreamPropertyProxyLocalBypass : [NSNumber numberWithInt:1] }; configuration.connectionProxyDictionary = bypassProxyDict;Than initiate the session with the configuration above NSURLSession* session = [NSURLSession sessionWithConfiguration:configuration ...I this the proper way to configure `connectionProxyDictionary` ? thanks !
Posted
by chapo81.
Last updated
.
Post not yet marked as solved
1 Replies
523 Views
Hello,I'm maintaining some UI based authorizationPlugin, and during the loginwindow stage if fileVault is on and decryption password has yet provided, so it seems that the fileVault take control of the authentication mechanisms and prevent them from showing up.my questions are:1. is there any way to integrate my authenticationPlugin to appear after the fileVault window asking to provide disk decryption password.if this is the list of mechanisms in login window for Mojave, I wonder if there's any importance to the location of my mechanism is the following list ? &lt;string&gt;builtin:policy-banner&lt;/string&gt; &lt;string&gt;loginwindow:login&lt;/string&gt; &lt;string&gt;builtin:login-begin&lt;/string&gt; &lt;string&gt;builtin:reset-password,privileged&lt;/string&gt; &lt;string&gt;loginwindow:FDESupport,privileged&lt;/string&gt; &lt;string&gt;builtin:forward-login,privileged&lt;/string&gt; &lt;string&gt;builtin:auto-login,privileged&lt;/string&gt; &lt;string&gt;builtin:authenticate,privileged&lt;/string&gt; &lt;string&gt;PKINITMechanism:auth,privileged&lt;/string&gt; &lt;string&gt;builtin:login-success&lt;/string&gt; &lt;string&gt;loginwindow:success&lt;/string&gt; &lt;string&gt;HomeDirMechanism:login,privileged&lt;/string&gt; &lt;string&gt;HomeDirMechanism:status&lt;/string&gt; &lt;string&gt;MCXMechanism:login&lt;/string&gt; &lt;string&gt;CryptoTokenKit:login&lt;/string&gt; &lt;string&gt;loginwindow:done&lt;/string&gt;2. if it's not possible to integrate fileVault decryption mechanism and another UI based mechanism, is there a way to get any notification fromthe engine callbacks (like reading a certain field in the context) that it was called after the fileVault decryption stage ? I'd be happy to know if there's any formal documentation on this matter as well.thanks !
Posted
by chapo81.
Last updated
.
Post marked as solved
3 Replies
1.6k Views
I'd like to add an additional listener to my XPC service in order to accept method from additional protocol. @interface ServiceDelegate1 : NSObject &lt;NSXPCListenerDelegate&gt; @end @implementation ServiceDelegate1 - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { ... @end @interface ServiceDelegate1 : NSObject &lt;NSXPCListenerDelegate&gt; @end @implementation ServiceDelegate2 - (BOOL)listener:(NSXPCListener *)listener shouldAcceptNewConnection:(NSXPCConnection *)newConnection { ... @end and in main( ) function I use those delegators to create 2 listeners. ServiceDelegate1 *delegate1 = [ServiceDelegate1 new]; ServiceDelegate2 *delegate2 = [ServiceDelegate2 new]; NSXPCListener *listener1 = [[NSXPCListener alloc] initWithMachServiceName:@"com.xpc.service1"]; listener1.delegate = delegate1; [listener1 resume]; NSXPCListener *listener2 = [[NSXPCListener alloc] initWithMachServiceName:@"com.xpc.service2"]; listener2.delegate = delegate2; [listener2 resume];I also added the additinal service to the xpc service plist invocation file (under /Library/LaunchDaemons):&lt;?xml version="1.0" encoding="UTF-8"?&gt;&lt;!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;&lt;plist version="1.0"&gt;&lt;dict&gt; &lt;key&gt;Label&lt;/key&gt; &lt;string&gt;com.xpc.service1&lt;/string&gt; &lt;key&gt;RunAtLoad&lt;/key&gt; &lt;true/&gt; &lt;key&gt;EnablePressuredExit&lt;/key&gt; &lt;false/&gt; &lt;key&gt;POSIXSpawnType&lt;/key&gt; &lt;string&gt;Adaptive&lt;/string&gt; &lt;key&gt;ProgramArguments&lt;/key&gt; &lt;array&gt; &lt;string&gt;/Applications/myApp.app/Contents/XPCServices/myservice.xpc/Contents/MacOS/myservice&lt;/string&gt; &lt;/array&gt; &lt;key&gt;MachServices&lt;/key&gt; &lt;dict&gt; &lt;key&gt;com.xpc.service1&lt;/key&gt; &lt;true/&gt; &lt;key&gt;com.xpcƒ.service2&lt;/key&gt; &lt;true/&gt; &lt;/dict&gt;&lt;/dict&gt;&lt;/plist&gt;However, it seems like after i add the second listener, I suddenly stop getting the serviceName in method implmented by the 2 delegators.Perhaps anybody can tell me if this is the right way to achieve my goal ?thanks !
Posted
by chapo81.
Last updated
.