5 Replies
      Latest reply on Jun 4, 2018 8:21 AM by eskimo
      jin.jinru Level 1 Level 1 (0 points)

        I'm going to implement XPC service with the following security functions using C.

         

         

        • XPC client should be signed by my Apple certificate
        • XPC client should have specific bundle identifier(i.e. com.example.app)

         

        How can I implement those specific functions? Is there any API to implement them?

        • Re: Allow specific application on XPC service side on macOS
          eskimo Apple Staff Apple Staff (9,090 points)

          You should read this post, which has a detailed explanation of how to approach this issue.

          Note That post assumes you’re using NSXPCConnection, which is something I recommend in general.  If you use the low-level XPC API, you’ll have to map from high-level constructs to low-level constructs.  For example, the processIdentifier property maps to the xpc_connection_get_pid function.  If you have any questions about that mapping, let me know.

          Finally, you wrote:

          XPC client should have specific bundle identifier

          It’s best to avoid the bundle identifier here and look at the code signing identifier or, better yet, test a code signing requirement that includes the identifier.  The code signing identifier is canonical way to identify code.  Normally it’s aligned with the bundle identifier but that’s not guaranteed.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

          WWDC runs Mon, 4 Jun through to Fri, 8 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face.

          1 of 1 people found this helpful
            • Re: Allow specific application on XPC service side on macOS
              jin.jinru Level 1 Level 1 (0 points)

              Hello, @eskimo,

              Is it possible to get code signing identifier using C?

                • Re: Allow specific application on XPC service side on macOS
                  eskimo Apple Staff Apple Staff (9,090 points)

                  Is it possible to get code signing identifier using C?

                  Yes.  You’ll find the code signing API in the Security framework, which is a C framework.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                  WWDC runs Mon, 4 Jun through to Fri, 8 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face.

                    • Re: Allow specific application on XPC service side on macOS
                      jin.jinru Level 1 Level 1 (0 points)

                      Hello, @Eskimo,

                       

                      I'm going to integrate my backend library and XPC service.

                       

                      So, when starting main program, it will initialize my backend library, create XPC service and call library functions by commands from UI side(i.e. XPC client).

                      The XPC service program is running as launchd daemon mode.

                       

                      However, when I'm going to unload this daemon using command `launctl unload`, how I can finalize my library module?

                       

                      For example:

                       

                      int main()

                      {

                            // init my library

                            myLibray->init();

                       

                            // init XPC service

                            myXPCservice->init();

                       

                            dispatch_main();

                      }

                       

                      I didn't find the way where I need to add myLibrary->Finalize().

                       

                      Thanks!

                        • Re: Allow specific application on XPC service side on macOS
                          eskimo Apple Staff Apple Staff (9,090 points)

                          I recommend you start a new thread for this question; it’s very different from your original access control question.

                          Moreover, the fact that this is no longer about access control means that putting your new thread in Core OS > Processes would be best.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                          WWDC runs Mon, 4 Jun through to Fri, 8 Jun.  During that time all of DTS will be at the conference, helping folks out face-to-face.