[launchd-dev] SMJobBless & secure launched helper tool

Eric Gorr mailist at ericgorr.net
Mon Oct 3 15:27:22 PDT 2011 

> On Oct 3, 2011, at 12:22 PM, Quinn The Eskimo! wrote:
> 
>> In general I recommend that you avoid trying to check whether your helper tool is installed correctly by looking at the file system.  Rather, do an IPC to the tool and, if it works, you know that everything is hunky dory.  If you're concerned about version numbers, have an IPC request to ask the helper tool for its version.  If that fails, or returns a low version, you then know that you need to go through the installation process.
>> 
>> Look at how I handle this in BetterAuthorizationSample.  While it doesn't use SMJobBless (one day, one day...), the basic strategy is correct IMO.
>> 
>> <http://developer.apple.com/library/mac/samplecode/BetterAuthorizationSample/>

I do have one other question about whether or not there may be another, good way to check the version number of the installed helper tool.

Would it not be possible to create a code signing requirement using SecRequirementCreateWithString and have the requirement string be something like:

     info [CFBundleVersion] > "3"

and then use one of the Sec*CodeCheckValidity functions to check the requirement.

The easiest one to use would seem to be SecStaticCodeCheckValidity. Of course, using this function would seem to require the following code be written as well:

NSDictionary*   installedHelperJobData  = (NSDictionary*)SMJobCopyDictionary( kSMDomainSystemLaunchd, (CFStringRef)@"com.apple.bsd.SMJobBlessHelper" );
NSString*       installedPath           = [[installedHelperJobData objectForKey:@"ProgramArguments"] objectAtIndex:0];
NSURL*          installedPathURL        = [NSURL fileURLWithPath:installedPath];
SecStaticCodeCreateWithPath( (CFURLRef)installedPathURL, kSecCSDefaultFlags, &staticCodeRef );

What do you think about this solution? It certainly seems easier then doing an IPC to the tool when one is dealing with code that is signed…

I did write this code and it does seem to work…









-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/launchd-dev/attachments/20111003/41ecd285/attachment-0001.html>

More information about the launchd-dev mailing list