Here is (I think) my mystery: I have a Cocoa app that passes signing validation when the user is 501, but fails when it's 502.
192 likes 1 talking about this. Customize or choose your ( T-shirts / Hoodie / Jacket ) Designs No exchange or refund for any information contact us Now. A recent study by the Harvard Business Review found that English has become the universal language for the modern workforce and over 70% of employers say prospective employees need English in order to be successful in their jobs and hence require a mid to advanced level fluency in the language. Updated information on QRecall; see both QRecall and QRecall Tips. A warning about certain Western Digital hard drives that aren’t bootable with PowerPC-based Macs; consult Choose an Interface (or Several). A sidebar about how Apple almost, but not really, yet sort of enabled Time Machine for AirPort Disks; read The AirPort Disk Fiasco. QRecall is a Startup based on QR Code technology where we use it to recall separate ways of information to fulfill Nine different production lines of different Needs and Target Segments QSafe our first Q, we use it in case of emergency; Its a Package of 3 items Bracelet, ID and 2 Stickers Sector.
I have a situation where a password (for an encrypted archive) is stored on the keychain. There are three agents that retrieve this password:
Recalls On Vehicles
1) The main client GUI Cocoa app
2) An LSUIElement monitoring Cocoa app (an embedded resource inside the GUI app bundle and started by launchd as a user agent)
3) An privileged helper
When the application is installed by user 501, everything works as it should
a) The password keychain item is created and stored on the keychain by the GUI app. The item has the above three executables set to allow access.
b) The GUI app can retrieve the password from the keychain.
c) The user agent monitoring app can retrieve the password from the keychain.
Yesterday I had a user contact me that the keychain item wasn't working (sometimes), and I narrowed it down to the monitor (LSUIElement user agent) app; even thought its listed in the apps that should have access ot the keychain item, every attempt to read the item returns errSecAuthFailed.
Debugging the problem, I found messages like this in the system.log:
Initially, I thought this was because the user's home folder was located on an external drive, but experimentation now indicates that it's because the account has a different UID.
Basically, if the UID is 501, the monitor app can read the keychain item. If it's not 501, the attempt fails, and this appears to be becasue the system believes the monitor app isn't signed property. If I edit the keychain item to allow access from all apps, everything works the way it should.
In contradiction to that, the GUI app can strore and retrieve the keychain item regardless of what UID it's being run as.
Qrecall Mac Review
The entire app bundle, and all embedded execuables, are signed with my developer certificate. RB App Checker Lite give the bundle a clean bill of health.
I don't understand why the security framework doesn't think this app is signed properly for user 502, but thinks it is signed property for user 501.
Footnote: during my testing, I also made local copies of the app, so I've also tested this with a copy of the app owned by user 502, and user 502 still can't verify the signature of the embedded monitor app.
Feet planted firmly in mid-air...
I have a large project I'm trying to bring up to date with Xcode 7.
The main deliverable app (direct distribution, this is not for the App Store) has a large number of embedded resources, including background (faceless) Cocoa apps, helper tools, a Finder service, spotlight plugin, and embedded frameworks.
I had previously been not signing any of the sub-components as they were built, and was using the --deep option on the enclosing app to sign everything inside the bundle with the same signature.
I've been reading about this and I get the feeling that this method is not recommended, so I rejiggered the project to sign each individual target (adding some build phase scripts to sign the binary frameworks). But now I can't get past the following error:
Either my embedded app is signed (and I get this error) or it isn't signed and I get an error that is has to be signed.
I've pored over TN2206, but it only briefly mentions identifier prefixes, and only in the context of an App Store app. I can find no mention of this problem in the troubleshooting section, or even a discussion of the identifier requirements for embedded app bundles when signing with a Developer ID.
So has anyone run into this, and is there an easy fix? Or should I just go back to using --deep?