SMJobKit (SMJobBless) BadBundleCodeSigning

Question

I’m trying to execute privileged helper trough SMJobBless with help of SMJobKit framework, but when I try to install the service, this error is thrown Error Domain=SMJobKit.SMJError Code=4 "(null)"

And when I run function checkForProblems it throws [SMJobKit.SMJError.BadBundleCodeSigningDictionary] in source there is a comment by this line: "kSecCodeInfoPList was not a dictionary"

App is structured like Main App (sandboxed) -> XPC Service -> Privileged Helper

Code Signing is set to Mac Developer:…

and in plist I have…

Clients allowed to add and remove tool

anchor apple generic and identifier "*XPC SERVICE IDENTIFIER*" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = *DEVELOPER ID*)

Tools owned after installation

anchor apple generic and identifier "*HELPER IDENTIFIER*" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = *DEVELOPER ID*)

which is generated by SMJobBless python script

as a example I'm using Even Better Authorization Sample but without any luck yet

Answer 1

Privileged helper tools are not XPC Services. One of the defining characteristics of an XPC Service is that it is run in a sandbox with limited permissions, in contrast a privileged helper tool runs as root. What's confusing is that the way you'll want to communicate with your helper tool is almost certainly by using XPC. Apple overloaded a bunch of terms here:

• XPC is an interprocess communication technology
• XPC Mach Services is a type of XPC communication that uses Mach ports and can be called by any process on the system
• XPC Services are bundles which run in their own sandbox and must be communicated with using XPC; only the containing bundle can communicate
• Privileged helper tools are executables (not bundles) installed by SMJobBless that don't need to have any communication mechanism, but if they want to have one they can make use of XPC Mach Services

You need to structure your app bundle as: example.app/Contents/Library/LaunchServices/<helper tool>

The EvenBetterAuthorizationSample structures the app bundle as I described. Unfortunately it's quite out of date these days and Apple hasn't put out a new Swift version. If you're looking for an updated sample, SwiftAuthorizationSample may be helpful.