setCodeSigningRequirement and Security Agent Plugins

Question

Created Aug ’24

Replies 4

Boosts 0

Participants 2

I have a security agent plugin that uses NSXPCConnection to communicate with a launch daemon. This works well, but I want to make sure the launch daemon has not been compromised. I added code to call setCodeSigningRequirement in my module that handles the client side of the NSXPCConnection. However, when used in the security agent plugin, remoteObjectProxyWithErrorHandler reports an error NSCocoaErrorDomain Code=4102 "The code signature requirement failed." If I call my xpc module from a test application, I do not receive an error and everything works as expected. I have tried different code signing requirements. Even with just "anchor apple generic" I still get the error.

The console log shows two entries of interest

com.apple.SecurityAgentHelper.arm64	default	09:13:29.677567-0500	SecurityAgentHelper-arm64	EOGSecurityServiceClient	biometricAuthorization remote proxy error: Error Domain=NSCocoaErrorDomain Code=4102 "The code signature requirement failed." UserInfo={NSDebugDescription=The code signature requirement failed.}

Answered by pnelson in 799958022

I have modified QAuthPlugins to verify the issue with SecStaticCodeCheckValidityWithErrors. I have filed a bug report FB14783775 "SecurityAgentPlugin can't verify NSXPCConnection using setCodeSigningRequirement."

Boost

Answer 1

pnelson OP

Aug ’24

More log details:

com.apple.securityd	debug	09:13:29.674468-0500	SecurityAgentHelper-arm64	staticCode	SecStaticCode network default: NO
com.apple.securityd	debug	09:13:29.674577-0500	SecurityAgentHelper-arm64	staticCode	SecStaticCode network blocked: YES
com.apple.securityd	debug	09:13:29.674621-0500	SecurityAgentHelper-arm64	staticCode	SecStaticCode network blocked: YES
com.apple.securityd	debug	09:13:29.674952-0500	SecurityAgentHelper-arm64	staticCode	SecStaticCode network blocked: YES
com.apple.securityd	debug	09:13:29.675103-0500	SecurityAgentHelper-arm64	xpc	no query dict to determine whether for system keychain: Error Domain=NSOSStatusErrorDomain Code=-50 "no object for key query" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=no object for key query}
com.apple.securityd	default	09:13:29.675178-0500	SecurityAgentHelper-arm64	SecCritical	Failed to talk to trustd after 4 attempts.
com.apple.securityd	debug	09:13:29.675329-0500	SecurityAgentHelper-arm64	xpc	no query dict to determine whether for system keychain: Error Domain=NSOSStatusErrorDomain Code=-50 "no object for key query" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=no object for key query}
com.apple.securityd	default	09:13:29.675394-0500	SecurityAgentHelper-arm64	SecCritical	Failed to talk to trustd after 4 attempts.
com.apple.securityd	default	09:13:29.675448-0500	SecurityAgentHelper-arm64	SecError	Trust evaluate failure:
com.apple.securityd	debug	09:13:29.675542-0500	SecurityAgentHelper-arm64	xpc	no query dict to determine whether for system keychain: Error Domain=NSOSStatusErrorDomain Code=-50 "no object for key query" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=no object for key query}
com.apple.securityd	default	09:13:29.675599-0500	SecurityAgentHelper-arm64	SecCritical	Failed to talk to trustd after 4 attempts.
com.apple.securityd	default	09:13:29.675859-0500	SecurityAgentHelper-arm64	security_exception	MacOS error: -2147409622
com.apple.securityd	debug	09:13:29.676340-0500	SecurityAgentHelper-arm64	security_exception	0   Security                            0x000000019ccd6108 Security::CommonError::LogBacktrace() + 124
com.apple.securityd	debug	09:13:29.676376-0500	SecurityAgentHelper-arm64	security_exception	1   Security                            0x000000019ccd66bc Security::MacOSError::MacOSError(int) + 340
com.apple.securityd	debug	09:13:29.676403-0500	SecurityAgentHelper-arm64	security_exception	2   Security                            0x000000019ccd672c Security::MacOSError::throwMe(int) + 40
com.apple.securityd	debug	09:13:29.676430-0500	SecurityAgentHelper-arm64	security_exception	3   Security                            0x000000019cbba528 Security::CodeSigning::SecStaticCode::validateDirectory() + 3368
com.apple.securityd	debug	09:13:29.676457-0500	SecurityAgentHelper-arm64	security_exception	4   Security                            0x000000019cbbd8b4 Security::CodeSigning::SecStaticCode::validateNonResourceComponents() + 24
com.apple.securityd	debug	09:13:29.676484-0500	SecurityAgentHelper-arm64	security_exception	5   Security                            0x000000019cba7124 Security::CodeSigning::SecCode::checkValidity(unsigned int) + 368
com.apple.securityd	debug	09:13:29.676508-0500	SecurityAgentHelper-arm64	security_exception	6   Security                            0x000000019cbb0f18 SecCodeCheckValidityWithErrors + 88
com.apple.FileProvider	debug	09:13:29.676702-0500	fileproviderd	com.microsoft.OneDrive.FileProvider/O{21}s.com	[DEBUG] ┣eda9 dispatching to <private>
com.apple.securityd	debug	09:13:29.676532-0500	SecurityAgentHelper-arm64	security_exception	7   support                             0x0000000110242770 xpc_support_check_token + 416
com.apple.FileProvider	debug	09:13:29.676764-0500	fileproviderd	com.microsoft.OneDrive.FileProvider/O{21}s.com	[DEBUG] ┳eda9 continuing on <private>
com.apple.securityd	debug	09:13:29.676558-0500	SecurityAgentHelper-arm64	security_exception	8   libxpc.dylib                        0x00000001999632e0 _xpc_connection_check_peer_requirement + 428
com.apple.FileProvider	debug	09:13:29.676820-0500	fileproviderd	com.microsoft.OneDrive.FileProvider/O{21}s.com	[DEBUG] ┗eda9
com.apple.securityd	debug	09:13:29.676582-0500	SecurityAgentHelper-arm64	security_exception	9   libxpc.dylib                        0x000000019994e420 _xpc_connection_handle_async_reply + 276
com.apple.FileProvider	debug	09:13:29.676843-0500	fileproviderd	com.microsoft.OneDrive.FileProvider/O{21}s.com	Going full rescan for pending items after 57199.359297
com.apple.securityd	debug	09:13:29.676605-0500	SecurityAgentHelper-arm64	security_exception	10  libdispatch.dylib                   0x0000000199a8e468 _dispatch_client_callout3 + 20
com.apple.securityd	debug	09:13:29.676630-0500	SecurityAgentHelper-arm64	security_exception	11  libdispatch.dylib                   0x0000000199aabfc8 _dispatch_mach_msg_async_reply_invoke + 344
com.apple.securityd	debug	09:13:29.676654-0500	SecurityAgentHelper-arm64	security_exception	12  libdispatch.dylib                   0x0000000199a95898 _dispatch_lane_serial_drain + 368
com.apple.securityd	debug	09:13:29.676723-0500	SecurityAgentHelper-arm64	security_exception	13  libdispatch.dylib                   0x0000000199a96578 _dispatch_lane_invoke + 432
com.apple.securityd	debug	09:13:29.676769-0500	SecurityAgentHelper-arm64	security_exception	14  libdispatch.dylib                   0x0000000199aa12d0 _dispatch_root_queue_drain_deferred_wlh + 288
com.apple.securityd	debug	09:13:29.676893-0500	SecurityAgentHelper-arm64	security_exception	15  libdispatch.dylib                   0x0000000199aa0b44 _dispatch_workloop_worker_thread + 404
com.apple.securityd	debug	09:13:29.677000-0500	SecurityAgentHelper-arm64	security_exception	16  libsystem_pthread.dylib             0x0000000199c3b00c _pthread_wqthread + 288
com.apple.securityd	debug	09:13:29.677098-0500	SecurityAgentHelper-arm64	security_exception	17  libsystem_pthread.dylib             0x0000000199c39d28 start_wqthread + 8
	error	09:13:29.677278-0500	SecurityAgentHelper-arm64	<Missing Description>	xpc_support_check_token: <private> error: <private> status: -2147409622
com.apple.SecurityAgentHelper.arm64	default	09:13:29.677567-0500	SecurityAgentHelper-arm64	EOGSecurityServiceClient	biometricAuthorization remote proxy error: Error Domain=NSCocoaErrorDomain Code=4102 "The code signature requirement failed." UserInfo={NSDebugDescription=The code signature requirement failed.}

0

Answer 2

pnelson OP

Aug ’24

It appears that the trust evaluation fails. I assume that my security agent plugin is failing to trust the code signing cert chain used to sign my launch daemon.

0

Answer 3

pnelson OP

Aug ’24

It turns out that a security agent plugin can't even verify a signature using SecStaticCodeCheckValidityWithErrors.

0

Answer 4

pnelson OP

Aug ’24

Recommended

I have modified QAuthPlugins to verify the issue with SecStaticCodeCheckValidityWithErrors. I have filed a bug report FB14783775 "SecurityAgentPlugin can't verify NSXPCConnection using setCodeSigningRequirement."

0