How can I sign a package from a privileged helper?

I need to figure out how to go about signing a package from a privileged helper. One of our products can create packages and can sign the packages. It's currently using AuthorizationExecuteWithPrivileges, which has been deprecated since 10.7, to obtain root access, and starting an external task to run the /usr/bin/productsign utility. We are changing it to use a privileged helper instead, however, I tried running the /usr/bin/productsign utility from the privileged helper, but since that prompts for credentials to access the keychain, it just hangs since the privileged helper doesn't seem to have access to the UI.
Does anyone know of a way to sign a package using an API function instead of the productsign utility, or have any ideas how to prevent to prevent the productsign utility from prompting when run from the privilged helper, or know of a way that the privileged helper could allow the productsign utility to prompt the user for credentials?

Replies

but since that prompts for credentials to access the keychain, it just hangs since the privileged helper doesn't seem to have access to the UI.

I’m actually surprised it hangs rather than failing with an error but, yes, this is going to be problematic.

Why are you using a privileged helper for this? If this is a user credential, wouldn’t it be better to sign as that user?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I'm sorry, I looked at my notes and you're correct, it did just fail with "CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION". I had thought the utility required root access to run, which is why we wanted to use the privileged helper, but it appears that is not the case. I'll make that adjustment and then we should be good to go. I should have tested my assumptions first!