Grant Erickson wrote:

On 10/9/09 7:00 AM, launchd-dev-request@lists.macosforge.org wrote:

...

I have a script which I can successfully schedule using on OSX Leopard as follows :-

launchctl load -w -S Aqua com.floehopper.script Apparently I need the Aqua session type because the script accesses the keychain using the SecKeychainFindGenericPassword function. If I don't set the session type to Aqua, I get a errSecInteractionNotAllowed "Interaction with the Security Server is not allowed" error (-25308).

However, I also want to schedule the script on OSX Tiger, but the session type -S option is not available for launchctl.

I've tried calling the SecKeychainSetUserInteractionAllowed function with the state parameter set to false, but then I end up with a errSecAuthFailed "Authorization/Authentication failed" error (-25293).

Does anyone have any ideas how I might get this working on OSX Tiger?

James:

I'd recommend you read:

http://developer.apple.com/mac/library/technotes/tn2005/tn2083.html

LaunchAgents are, unfortunately, DOA (dead on arrival) in Tiger.

Hi Grant, Thanks for your reply. I've read the Apple technical note, but I'm a little confused. I want to use my Launch Agent as a scheduled task, not as something that happens at login. Also I only want to support systems where a single user is logging in via the GUI and not via ssh. The warning below seems to imply that I should not have any problems. Or am I missing something?

WARNING: Prior to Mac OS X 10.5, launchd agents were not particularly useful because there was no way for the agent to specify the type of login session that the agent required (r. 4255854) . Thus, you couldn't use a launchd agent as the equivalent of a global login item because it might be launched in the context of non-GUI login session. Mac OS X 10.5 has addressed this limitation, as described below. However, if you have to support older systems, you should investigate some of the alternative technologies described in Deprecated Daemonomicon.

Also even in Leopard, I found I needed to set the session type to Aqua, whereas the technical note implies that the session type should default to Aqua.

To run your agent in a particular session type, use the session type strings from Table 1 as the value of the LimitLoadToSessionType property in your agent's property list file. If you want to run in more than one session type, you can set LimitLoadToSessionType to an array, where each element is a session type string. If you don't specify the LimitLoadToSessionType property, launchd assumes a value of Aqua.

I have to admit I don't really understand why I need to set the session type to Aqua to access the keychain programmatically in the first place! Regards, James.