2 Replies
      Latest reply on Dec 5, 2019 9:30 AM by Yarn
      Yarn Level 1 Level 1 (0 points)
        I need to figure out how to go about signing a package from a privileged helper. One of our products can create packages and can sign the packages. It's currently using AuthorizationExecuteWithPrivileges, which has been deprecated since 10.7, to obtain root access, and starting an external task to run the /usr/bin/productsign utility. We are changing it to use a privileged helper instead, however, I tried running the /usr/bin/productsign utility from the privileged helper, but since that prompts for credentials to access the keychain, it just hangs since the privileged helper doesn't seem to have access to the UI.
        Does anyone know of a way to sign a package using an API function instead of the productsign utility, or have any ideas how to prevent to prevent the productsign utility from prompting when run from the privilged helper, or know of a way that the privileged helper could allow the productsign utility to prompt the user for credentials?
        • Re: How can I sign a package from a privileged helper?
          eskimo Apple Staff Apple Staff (12,425 points)

          but since that prompts for credentials to access the keychain, it just hangs since the privileged helper doesn't seem to have access to the UI.

          I’m actually surprised it hangs rather than failing with an error but, yes, this is going to be problematic.

          Why are you using a privileged helper for this?  If this is a user credential, wouldn’t it be better to sign as that user?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: How can I sign a package from a privileged helper?
              Yarn Level 1 Level 1 (0 points)

              I'm sorry, I looked at my notes and you're correct, it did just fail with "CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION". I had thought the utility required root access to run, which is why we wanted to use the privileged helper, but it appears that is not the case. I'll make that adjustment and then we should be good to go. I should have tested my assumptions first!