Bless Error: Error Domain=CFErrorDomainLaunchd Code=4 "(null)"

[ghost]

Hi Eric this is really awesome thats you help us to use it , thank you

now issue No : 1

Helper: Bundle Version => 1.0.3
2018-03-25 19:13:11.077457+0530 MyApplication[2122:36235] Bless Error: Error Domain=CFErrorDomainLaunchd Code=4 "(null)"
2018-03-25 19:13:11.077690+0530 MyApplication[2122:36158] XPC Connection Invalidated

Issue No: 2

SMJobBlessUtil.py: tool designated requirement (identifier "com.github.erikberglund.MyApplicationHelper" and anchor apple generic and certificate leaf[subject.CN] = "Mac Developer: ****** (827NYLK373)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */) doesn't match entry in 'SMPrivilegedExecutables' (anchor apple generic and identifier "com.github.erikberglund.MyApplicationHelper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = 827NYLK373 ))

i just change team id , rest everything is intact ..

question : do i need to create a identifier at itunes connect ?

Thanks

[erikberglund]

Hello.

Yes, issue no: 1 is because the signing isn't correct. Nothing will install or work until the SMJobBlessUtil.py tool returns with an ok.

Issue no: 2 is probably because you have used a "Mac Developer" certificate, where I used a "Developer ID Application" certificate.

The strings in the Info.plist inside the brackets are OIDs for certificates that defines the option and settings that are required for the certificate to be valid. And as I have used a Developer ID Application-cert for this test project, I only included those OIDs.

If you want to use a Mac Developer-cert, you also need to update the OIDs to something like this:

In the applications Info.plist, for the field Tools owned after installation, replace the string there with the string below and replace Mac Developer: ********* (74QXZ7SQ7K) with your own certificate name and id like the one in your output above (but without the ** ofc):

identifier "com.github.erikberglund.MyApplicationHelper" and anchor apple generic and certificate leaf[subject.CN] = "Mac Developer: ********* (74QXZ7SQ7K)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */

In the MyApplicationHelper-Info.plist, for the field Clients allowed to add and remove tool, replace the string there with the string below and replace Y7QFC8672N with your own certificate id:

anchor apple generic and identifier "com.github.erikberglund.MyApplication" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y7QFC8672N)

[erikberglund]

Also to note, I just wrote and tested those strings now, but it might be wise to maybe add some more checks to the first string in the application Info.plist, to check for more things like the apple certs. I don't have time to test or check that now, but that might be a good idea for security.

[ghost]

great you are so quick , actually i was using automatic manage signing , just removed it and did as you said ,

it seems fine now

i need to perform some sudo task , but in example it just check for file with auth

Thank you

[erikberglund]

Yes, the example is just hardcoded to the command /bin/ls and as it says in the label: List contents of folder at path: and expects a path to run ls on. So with that you can test to list contents of folders that only root has access to for example.

So to run another command, you need to update the helper. But remember, for the application to know that you have a new helper to install (with new code), you HAVE to update the helper's version in it's info.plist, otherwise it will never update.

[ghost]

So to run another command, you need to update the helper.

found it , have to do lots of work here

But remember, for the application to know that you have a new helper to install (with new code), you HAVE to update the helper's version in it's info.plist, otherwise it will never update.

got it

Question : do you know Objective-C port of this or similar ?

you are so great :) Thank you

[erikberglund]

Absolutely, all guides and examples online were (are?) for Objective-c, therefor I made this to help some friends.

Apple has this themselves that you can look at, or just google: https://developer.apple.com/library/content/samplecode/EvenBetterAuthorizationSample

[ghost]

Absolutely, all guides and examples online were (are?) for Objective-c, therefor I made this to help some friends.

oops it looks i forgot ,actually , i found many projects but im always get stuck at same situation with this , now i can use them too

thanks alot

[analyticd]

I am able to build this app using my free self-signed Apple Mac Developer cert based on my apple id. However, I am not able to install the helper tool when providing my password. Does one have to have a paid Mac Developer or Developer ID cert to install the helper tool successfully? I get the same error reported here and followed, as best I could I thought, the suggested remedies for @insanelydeepak above, but to no avail. The codesign cli indicates it is signed ok. Again, it just won't install. I haven't yet paid for a Mac Developer or Developer ID cert as I was hoping to just try some things out first before committing. Thanks for your helpful content @erikberglund , really appreciated!

[ghost]

@analyticd first don't use auto-sign option , second read README carefully must use SMJobBlessUtil.py to check where is issue

[erikberglund]

The long string you have to edit that looks like this: anchor apple generic and identifier "com.github.erikberglund.MyApplication" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = Y7QFC8672N) contains a requirement for a specific certificate type. This one is for a MacDeveloper Apple certificate that must be signed by the Apple intermediate developer cert.

If you use the SMJobBlessUtil.py on your built app, that will actually print the string it expects, and you can just copy that and put it in the correct place to have it be happy. Or, if it gives you any other error those have to be solved first.

[erikberglund]

And as a note, i will rewrite this tool completely today to update it to modern Swift and make it A LOT simpler and it will use automatic signing, so if you can wait a day or two, I will update this repo with a much better example.

[ghost]

@erikberglund awesome thanks once again

[analyticd]

Wow, thanks @erikberglund , very kind of you

[erikberglund]

@analyticd @insanelydeepak Sorry for the delay, but now it's updated with some improvements.

First, the signing is automated, so you should not have to update the code requirements with your own singing information.

I also added some mitigations for a common attack vector where the helper not validates the calling application's code signature to match the helper.

So, please try the newer version and open a new issue for any issues you run into.

[ghost]

So, please try the newer version and open a new issue for any issues you run into.

sure

thanks you

[abstertee]

@erikberglund Keep getting this error when tying in the helper to a different app: Delete: Entry, "SMPrivilegedExecutables", Does Not Exist Command PhaseScriptExecution failed with a nonzero exit code

I know it's got to be something simple, but not sure what is failing. This happens when I am trying to build the app to test.

[erikberglund]

Ah yes this is from my script to make the certificate requirements easier but it looks like it errors if the expected key in the info plist doesnt already exist. I should fix that in the script but the script is also more of an easier to use thing for trying this out and you might want to always use the same cert when developing for produktion. The script will work with that too but if an error occurs it might be good to know what its doing.

But to fix this you have to add the missing key to the info plist, i think in the app info plist.

Also you should download the Apple example project that has some descriptions on how it all should be set up but its not entirely clear which is why i made this :) but if you need to learn more that could be good.

[jariz]

@erikberglund I got it to build, but once running it keeps giving the error in the title. I changed the bundle identifiers everywhere, have a valid cert, changed the certs for both projects etc. SMBlessUtil says SMJobBlessUtil.py: tool designated requirement (identifier "$(PRODUCT_BUNDLE_IDENTIFIER)" and anchor apple generic and certificate leaf[subject.CN] = "Mac Developer: Jari Zwarts (GZXL2VN3E9)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */) doesn't match entry in 'SMPrivilegedExecutables' (anchor apple generic and identifier "io.jari.AkkuHelper" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JHKDY4UQ72))

I can't really resolve where it got JHKDY4UQ72 from (it's not in SMPrivilegedExecutables in the Info.plist), or what I'm doing wrong. The project worked fine earlier when I only change the certs, but now that I changed the bundle ID's it starts acting up. I checked all bundle ID's everywhere, and they've all been changed.
Kind of running out of options. Any ideas?

[erikberglund]

@jariz Did you follow the steps in the project read me here: https://github.com/erikberglund/SwiftPrivilegedHelper#note-changing-bundleidentifier to also change the bundle identifier in the included script.

That script is only included to help people test this without having to change anything other than the signing certs. If you change the bundle identifiers the script has to be updated as well. The script steps could be removed from the build phases and the values set manually in the info plists.

[jariz]

@erikberglund I did. Did an entire search of the old bundle id's and there wasn't a single string left in the project pointing to them. I just ran ./SMJobBlessUtil.py setreq and now it works, maybe make it part of the readme? (or I did something wrong, but I can't seem to pinpoint what exactly)

Thanks regardless, for answering my dumb questions :)

[erikberglund]

The error message you got said that it had set "$(PRODUCT_BUNDLE_IDENTIFIER)" as the bundle identifier for the helper, and that should not be possible if you did not create a new info plist for the helper, or changed that manually.

I have also found that this variable works normally to ge the bundle identifier, but in the helper it's not expanded to the correct value so one has to set that string explicitly.

If you used Xcode to change the bundle identifiers it might have been "smart" and done that for you and that could also have made it not work.

When I tested only changing the bundle identifier for the project and in the script it has worked as expected, so I have not been able to reproduce this.

I should probably add a message that the script is only to make things easier to test as automatic signing is enabled.

Thanks for your report