Recently we've discovered an issue affecting our products in regards to using the Monterey+ provided new api calls to selectively mute events. Specifically, whenever using es_mute_process_events or es_mute_path_events, the ES_EVENT_TYPE_NOTIFY_OPEN event is ignored for muting (meaning the call will return success, but the event will keep coming). This is true only for this event as far as I can tell, its AUTH counterpart stays muted (along lots of other processes: clone, rename, close, unlink, fork etc). It fails if either the event is in a list of events or if the event is singled out in 1 sized vector of events. When using a dedicated client for this event and using the previous api, es_mute_process or es_mute_path muting works as intended. Tested on ventura 13.5 and 13.6. Is there something that can be done to prevent dedicated clients or is this a known issue?

Hello. We provide our software in the form of static libraries (.a) wrapped in xcframework. Therefore, the final app will not include the embed framework. In such a case, should the manifest content required for the library be written as part of the application's xcprivacy file? Or can I provide xcprivacy as part of the xcframework?

Hi, We're trying to generate the key inside secure enclave from the deamon, but it fails with the below error. The operation couldn’t be completed. (OSStatus error -26276 - failed to generate asymmetric keypair) Could you please help me to resolve the issue?

Hello, I am working on simple task, i have a JWT and I need to verify it's signature. My sample data: JWT eyJhbGciOiJFUzI1NiIsImtpZCI6IjhEWVpUTFRPVUtNSjdUU0w4SFZVVTlUVEdXMV9NTVVSSURJV1JUVE0iLCJ0eXAiOiJKV1QifQ.eyJub25jZSI6Indkd2R3ZHdkIiwiZGF0ZVRpbWUiOiIyMDIzLTEwLTEzVDEyOjQ4OjQwWiJ9.nWBfRne9VOKV4NGt32gWtoA5fUKzu0RzkhUYSYwUA7cvalsABUcWrpEk0fhztPZDK7KrDF8P2Pquhoxq4p-FUg Public key (JWK) { "kid": "8DYZTLTOUKMJ7TSL8HVUU9TTGW1_MMURIDIWRTTM", "use": "sig", "kty": "EC", "alg": "ES256", "crv": "P-256", "x": "8dyzTlToUkMJ7tsl8HVuU9tTGw1_mmuridIWrttMRCs", "y": "AVqGlqJ88QgP_uVLea7gIUnA-p9iYwnJyYt7o-uH4oU" } When you put the data to the [https://jwt.io] you get "Signature Verified" message. So the data should be ok. I have implementation in Objective-C, but i get this weird error message when the SecKeyVerifySignature is called. Here is my code: #import <Cocoa/Cocoa.h> #import <CommonCrypto/CommonDigest.h> NSString* base64StringWithPadding(NSString *encodedString) { NSString* stringTobeEncoded = [[encodedString stringByReplacingOccurrencesOfString:@"-" withString:@"+"] stringByReplacingOccurrencesOfString:@"_" withString:@"/"]; int paddingCount = encodedString.length % 4; for (int i = 0; i < paddingCount; i++) { stringTobeEncoded = [stringTobeEncoded stringByAppendingString:@"="]; } return stringTobeEncoded; } SecKeyRef restorePublicKey(NSString *x, NSString *y) { NSString *xBase64Padd = base64StringWithPadding(x); NSString *yBase64Padd = base64StringWithPadding(y); NSData *xData = [[NSData alloc] initWithBase64EncodedString:xBase64Padd options:kNilOptions]; //32bytes NSData *yData = [[NSData alloc] initWithBase64EncodedString:yBase64Padd options:kNilOptions]; //32bytes NSMutableData *publicKeyData = [NSMutableData data]; // Append the constant byte '04' to indicate uncompressed format const unsigned char uncompressedByte = 0x04; [publicKeyData appendBytes:&uncompressedByte length:1]; // Append the X-coordinate and Y-coordinate [publicKeyData appendData:xData]; [publicKeyData appendData:yData]; NSDictionary *keyAttributes = @{ (id)kSecAttrKeyType: (id)kSecAttrKeyTypeECSECPrimeRandom, (id)kSecAttrKeyClass: (id)kSecAttrKeyClassPublic, (id)kSecAttrKeySizeInBits: @256, (id)kSecAttrIsPermanent:@NO }; CFErrorRef error = NULL; SecKeyRef publicKeyRef = SecKeyCreateWithData( (__bridge CFDataRef)publicKeyData, (__bridge CFDictionaryRef)keyAttributes, &error ); if(!publicKeyRef) { NSError *err = CFBridgingRelease(error); NSLog(@"%@", err.description); } return publicKeyRef; } int main(int argc, const char * argv[]) { @autoreleasepool { NSDictionary *jwk = @{ @"kid": @"8DYZTLTOUKMJ7TSL8HVUU9TTGW1_MMURIDIWRTTM", @"use": @"sig", @"kty": @"EC", @"alg": @"ES256", @"crv": @"P-256", @"x": @"8dyzTlToUkMJ7tsl8HVuU9tTGw1_mmuridIWrttMRCs", @"y": @"AVqGlqJ88QgP_uVLea7gIUnA-p9iYwnJyYt7o-uH4oU" }; SecKeyRef publicKeyRef = restorePublicKey(jwk[@"x"], jwk[@"y"]); NSString* header = @"eyJhbGciOiJFUzI1NiIsImtpZCI6IjhEWVpUTFRPVUtNSjdUU0w4SFZVVTlUVEdXMV9NTVVSSURJV1JUVE0iLCJ0eXAiOiJKV1QifQ"; NSString* payload = @"eyJub25jZSI6Indkd2R3ZHdkIiwiZGF0ZVRpbWUiOiIyMDIzLTEwLTEzVDEyOjQ4OjQwWiJ9"; NSString* signature = @"nWBfRne9VOKV4NGt32gWtoA5fUKzu0RzkhUYSYwUA7cvalsABUcWrpEk0fhztPZDK7KrDF8P2Pquhoxq4p-FUg"; NSString *headerAndPayload = [NSString stringWithFormat:@"%@.%@", header, payload]; NSData *signedData = [headerAndPayload dataUsingEncoding:NSUTF8StringEncoding]; NSString *signatureBase64Padd = base64StringWithPadding(signature); NSData *signatureData = [[NSData alloc] initWithBase64EncodedString:signatureBase64Padd options:kNilOptions]; bool canVerify = SecKeyIsAlgorithmSupported(publicKeyRef, kSecKeyOperationTypeVerify, kSecKeyAlgorithmECDSASignatureMessageX962SHA256); if(canVerify) { CFErrorRef error = NULL; BOOL verifyStatus = SecKeyVerifySignature( publicKeyRef, kSecKeyAlgorithmECDSASignatureMessageX962SHA256, (__bridge CFDataRef)signedData, (__bridge CFDataRef)signatureData, &error ); if(error) { NSError *err = CFBridgingRelease(error); NSLog(@"%@", err.description); } } else { NSLog(@"Cannot verify."); } } return NSApplicationMain(argc, argv); } I dont know where is the problem. I've tried everything.

When I run it on my IOS 16 device I get this error message. When I run it on my device with IOS 17 I get none of these logs. My build target for both the widget and app are 16.0. "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=66, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} 2023-10-19 13:49:44.565845-0400 Halo[87980:7963095] [db] Failed to initialize client context with error Error Domain=NSOSStatusErrorDomain Code=-54 "process may not map database" UserInfo={NSDebugDescription=process may not map database, _LSLine=66, _LSFunction=_LSServer_GetServerStoreForConnectionWithCompletionHandler} 2023-10-19 13:49:44.569345-0400 Halo[87980:7963095] Metal API Validation Enabled

My AppleScript .app bundle contains a helper executable. Table 3 of TN2206 says that executables may be in either Contents/MacOS or Contents/Helpers, but Quinn's first reply in this post says that Contents/MacOS is better. So I put the helper in Contents/MacOS, alongside applet. I sign the AppleScript .app bundle for Developer ID and Hardened Runtime by running the codesign command with arguments recommended by Quinn in this post. Result: Notary Service rejects the .app bundle due to 3 issues with the helper: is not signed with a valid Developer ID certificate does not include a secure timestamp does not have the hardened runtime enabled (Possibly it still has a years-old signature without Developer ID and Hardened Runtime). So it seems that the the helper is not being (re-)signed. If, instead of signing the .app bundle, I run Quinn's codesign comand twice, once on the applet and once on the second executable, then Notary Service is happy with the bundle. I was hoping that, after all these years, codesign is now smart enough to find and sign all of the executables inside a bundle. Both executables are x86_64 non-fat (I guess I should fatten those) and I have installed Xcode 15.1 Beta. Should I file a bug, or am I doing something wrong?

Hi! After over a year published in the App Store and with all 5-star ratings, my free, ad-free and open source app has been rejected this week during a routine bugfix update (literally a 1-line change in the code). The reviewer claims my app breaks this rule: (ix) Apps that provide services in highly regulated fields (such as banking and financial services, healthcare, gambling, legal cannabis use, and air travel) or that require sensitive user information should be submitted by a legal entity that provides the services, and not by an individual developer. Apps that facilitate the legal sale of cannabis must be geo-restricted to the corresponding legal jurisdiction. All my app does is use an open, public and free API offered by an investment firm in my country that allows their customers to access their account data programatically. This allows them to integrate things like their account balance or history in spreadsheets, websites, widgets, etc. For instance, people are already using Scriptable to create homescreen widgets that show their live balance in the homescreen. You just log in to the official firm's website, generate a personal token, and then input that token in whichever app/spreadsheet you want in order to make the corresponding HTTP requests. Now, my app does NOT collect any data whatsoever. When you open it, the app fetches your account data from these GET (read-only) endpoints and shows it to you with a nice presentation, including pleasant interactive charts that users really like. But the data only lives in memory, and as soon as you exit the app, it's all gone. No account creation, no data collection, no data storage, nothing. Zero. It's like sending a Postman request, but having the response plotted in nice charts for you. That's all. The ONLY thing that can (optionally) be stored locally in your device is your access token, so you don't have to copy and paste it every time you open the app. And it is securely encrypted in your iPhone and protected biometrically. That's it. The reviewer claims that, because my app presents sensitive financial information to the user, it must be published directly through the official company account of the investment firm, not by me. But isn't that what hundreds of popular banking/brokerage aggregators do? They just use read-only, open APIs to consolidate all your positions across banks/broker accounts, then present it to you in a single place. I understand these apps are not breaking any rules, right? So how is my app different? Am I missing something? To add to this, the investment firm is well aware of the existence of my app, and they not only approve of it, but are highly supportive and have encouraged me to continue improving it, as it shows the kind of things that are possible with their API. They've repeatedly helped me solve technical doubts whenever I've had any issues. So this is really a win-win for everyone and there's zero conflicts here. Do you think the reviewer is right? Or is he misinterpreting the policy? My impression is that the policy is aimed at apps that COLLECT sensitive data, not those who just PRESENT it to the user. But even though I've tried to explain this to him, he won't budge. What options do I have? Just to be clear, my app doesn't offer "financial services" of any kind on top of this. It simply shows you the same information you can see in the raw JSON that the API returns, or in the official app/website, but in a nicer format. It's clean, aseptic, unadulterated data, without any commercial business behind it. No offering or soliciting of any other products, just a pure and clean presentation of the data. Any advice would be greatly appreciated, as I'd like to get a second opinion before sending a FOURTH reply to the reviewer. I'd hate having to make my app an Android exclusive because of a simple policy misinterpretation :(

stat() is in the "Required Reason API" list. https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api I do not use stat() in my app, but I use assembler instruction to invoke stat system call. And for a security purpose, I use its return value to check existence of some files and directories outside the app container. I use system call instead of API for a security reason. Q. Do I have to declare that my app uses "Required Reason API"?

Hello, Look at this basic C program: #include <stdio.h> int main() { printf("%llx\n", main); return 0; } The displayed address change on each run. This is due to ASLR. Is there a way to launch a program by forcing the main module's base address I would like to do something like that in my terminal: $ BASE_ADDRESS=0x10000 ./a.out How can i do that on mac os ? Is it possible to force base address loading for shared libraries too ? Thanks

Hello, when I attempted to use the passkey, the method - (void)prepareCredentialListForServiceIdentifiers:(NSArray<ASCredentialServiceIdentifier *> *)serviceIdentifiers requestParameters:(ASPasskeyCredentialRequestParameters *)requestParameters API_AVAILABLE(ios(17.0), macos(14.0)) API_UNAVAILABLE(watchos, tvos); didn't execute. Are there any specific prerequisites for this method to run? I would appreciate your assistance. Thank you.

I've been reading information/signing data using keys in the file keychain without too many problems but the other day I tried to generate a private key in the file and the secure enclave keychains and I faced the -30418 error. I made sure that the entitlements were correct based on previous posts but still no luck. Code kind of based off this: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/protecting_keys_with_the_secure_enclave Do you actually need to pay for the $99/per year developer account to generate private keys inside the keychains ?

I have some code where I'm using SecKeyCreateSignature using a SecKey that I retrieved using SecCopyItemMatching with an LAContext provided to the query via the kSecUseAuthenticationContext parameter. This is a biometrically-backed key so a Touch ID prompt is displayed for the user. Calling LAContext.invalidate() while that system prompt is present doesn't dismiss the prompt or cancel the SecKeyCreateSignature call. I was hoping that would behave similar to how calling LAContext.invalidate when calling LAContext.evaluatePolicy and dismiss the system prompt and cancel the evaluatePolicy call. Is this a bug/oversight, expected behaviour, or am I missing some required setup to accomplish what I'm trying to do?

Hello, I made a mechanism that shows my custom user interface in the lock screen of MacOS by using the example in https://developer.apple.com/library/archive/samplecode/NameAndPassword/ The UI is being displayed as required and working perfectly. But it will automatically gets removed form display when there is no input from user for 30 seconds. I need to prolong that time as I need to support multiple factor verifications such as push notification(where user need to accept push notification in mobile device rather than in mac), security key(where user needs to insert and tap a security device without needing to give any input in keyboard or trackpad). Please suggest me any solution regarding the ways to achieve this. Any information is appreciated. Thank you.

My app was rejected because the camera usage description was too vague. When I went back to update it with clearer language, the description now does not show up at all. I've edited the Privacy - Camera Usage Description in info.plist targeting the iOS app but it still does not show up. I looked at this old thread but I've already followed the steps suggested therein to no avail.

Hi there, bit of an odd one, we have no idea how this happened but now we can't seem to figure out how to fix. Our app requests Touch ID on macOS to authenticate a user. This is done in the ever so standard way [LAContent evaluatePolicy:...]... Functionally everything is fine, but for some reason there is no App Name on the system dialog... We don't even know when this started happening... Our App Icon is there but not the name, it's blank so the dialog looks strange (see attached pic). The text doesn't really make sense without the App Name. I wouldn't have even thought this was possible, the standard info.plist keys like CFBundleName and CFBundleDisplayName are all set correctly. Everything else seems totally fine. We're seeing this across every target/build/version/sku so it seems unrelated to a particular plist. There are no localizations for the App Name either, no InfoPlist.strings involved here. What could cause this, does anyone know? @eskimo, I'm afraid turning things up to 11 didn't help, so hoping you've got an idea?

On my mac platform I try to use the method SecKeyCreateSignature to sign data with algorithm kSecKeyAlgorithmRSASignatureRaw but always failed. I double checked the support status but it failed with sample code: if (!SecKeyIsAlgorithmSupported(privKeyRef, kSecKeyOperationTypeSign, kSecKeyAlgorithmRSASignatureRaw)) {return 0;} But on my iOS client, the kSecKeyAlgorithmRSASignatureRaw works well. If I can not use the algorithm kSecKeyAlgorithmRSASignatureRaw, which algorithm I can use to get the same signed result by sign the given to-be-signed raw data.

Hello community we have been using an Endpoint Security client within a system extension for quite a while now. After some users updated macOS to Sonoma, we got complaints about slower performance when using MS Office on Mac. The product features work as expected, and our system extension is loaded and delivers events. Upon inspection of the log files, we found the following (but not on all machines): [com.apple.TCC:access] Failed to create LSApplicationRecord for file:///Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)' and [com.apple.TCC:access] -[TCCDAccessIdentity staticCode]: static code for: identifier com.sophos.endpoint.scanextension, type: 0: 0x7fb63da318c0 at /Library/SystemExtensions/0062566E-9869-4CC4-A666-F641F5C011CD/com.sophos.endpoint.scanextension.systemextension for almost each event delivered. We are using XPC from the system extension to a non-priviliged daemon process to process file content. A feedback has already been filed: FB13174804 An additional code-level support was returnd woithout any explanation. Signing checks of the system extension and the containing app (daemon) on Sonoma turn up without any errros. Any idea, whats going on here? Frank Fenn Sophos Inc.

We noticed that your app collects information about the user’s friends, contacts, or other third-party persons without the knowledge or consent of those parties. Specifically, the app allows users to enter an IMEI from an iOS device and obtain information. The App Store is designed to be a safe and trusted place for users to discover apps and apps on the App Store are held to a high standard for privacy, security, and content. Next Steps To resolve this issue, please remove any features that collect personal third-party user data from your app. i have a problem with that , but in my app I asked user accpect with Terms of Use & Privacy Policy for use onwer Serial or IMEI for main content ! but app review always Reject my project pls help me , tks a lot for erevyone have a nice day !

Hi there, I'm trying to do a raw signature but the SecKeyRawSign is deprecated, so I am wondering if there is any way to do it using SecKeyCreateSignature, and EC key and the kSecKeyAlgorithmECDSASignatureMessageX962SHA256 algo. I've noticed that this method applies a hash before signing the data, and I want to avoid that. Is that possible? If not, what other options do i have? Thanks in advance.

Hi, I have a query regarding the inclusion of the privacy manifest. Particularly, these SDKs are not maintained by their respective vendors or the community. Do we have any existing procedures or guidelines in place to tackle such scenarios? or is it possible to represent these SDKs from the app privacy manifest? Thanks.