AuthorizationCreateFromExternalForm throwes .denied

[amomchilov]

I managed to get authorization to bless my priv helper tool from my main app. I used the Codable implementation of Authorization to send it across to my XPC helper service.

When I hit this line in the decoding:

Blessed/Sources/Blessed/Authorization.swift

Lines 107 to 109 in ef63245

	return try AuthorizationError.throwIfFailure { authorization in
	AuthorizationCreateFromExternalForm(&externalForm, &authorization)
	}

I get a return value of -60005 (errAuthorizationDenied). Looking at the Console.app logs, I see:

process: PID 16263 code requirement check failed (-67050)

(PID 16263 is my XPC helper, and -67050 is errSecCSReqFailed.

Here's an chunk of the log (the line formats aren't consistent, because I was copy/pasting them weirdly)

IntermediatorXPCService before AuthorizationCreateFromExternalForm
SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, block size: 2048 bits, exponent: {hex: 10001, decimal: 65537}, modulus: 89764F065B9A41EEA5232B02A35FD7733FC035B08B840A3F06247FA7953FEB4F0E93AFB40ED0C83EE56D18B31FE88947BFD70908E4FF56982915E7949DB935A30ACDB4C0E1E260F4CAEC2978456969606B5F8A92FC9E23E63AC222B3314F1CBAF2B6345942EEB0A90203189104B6B3782E331F80450D456FBB0E5A5B7F3AE7D808D70B0E326DFB8636E46CABC4118A708426AA9F44D1F1B8C67B94179B48F70B5816BA23C59F15397ECA5DC3325F0FE0527F40EABEAC0864955BC91A9CE580CA1F6A441C6C3EC4B0261F1DEC7BAF5EA06A3D47A95812313F2076286D1D1CB0C24E1169268BCBD6D01182C94E0FF15674D0D9084B6678A2ABACA7E2D24C8759C9, addr: 0x12803ad80>: sign - input buffer bad size (264 bytes)" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, block size: 2048 bits, exponent: {hex: 10001, decimal: 65537}, modulus: 89764F0
SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "rsa_pub_crypt failed, ccerr=-7" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=rsa_pub_crypt failed, ccerr=-7}
SecKeyVerifySignature failed: Error Domain=NSOSStatusErrorDomain Code=-50 "<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, block size: 2048 bits, exponent: {hex: 10001, decimal: 65537}, modulus: 89764F065B9A41EEA5232B02A35FD7733FC035B08B840A3F06247FA7953FEB4F0E93AFB40ED0C83EE56D18B31FE88947BFD70908E4FF56982915E7949DB935A30ACDB4C0E1E260F4CAEC2978456969606B5F8A92FC9E23E63AC222B3314F1CBAF2B6345942EEB0A90203189104B6B3782E331F80450D456FBB0E5A5B7F3AE7D808D70B0E326DFB8636E46CABC4118A708426AA9F44D1F1B8C67B94179B48F70B5816BA23C59F15397ECA5DC3325F0FE0527F40EABEAC0864955BC91A9CE580CA1F6A441C6C3EC4B0261F1DEC7BAF5EA06A3D47A95812313F2076286D1D1CB0C24E1169268BCBD6D01182C94E0FF15674D0D9084B6678A2ABACA7E2D24C8759C9, addr: 0x116e6e490>: sign - input buffer bad size (264 bytes)" (paramErr: error in user parameter list) UserInfo={numberOfErrorsDeep=0, NSDescription=<SecKeyRef algorithm id: 1, key type: RSAPublicKey, version: 4, block size: 2048 bits, exponent: {hex: 10001, decimal: 65537}, modulus: 89764F0
non ev score: 1107 <SecCertificatePathVC certs: <cert(0x127852400) s: Apple Development: alexandermomchilov@gmail.com (LCR324TQ85) i: Apple Worldwide Developer Relations Certification Authority>, <cert(0x127833200) s: Apple Worldwide Developer Relations Certification Authority i: Apple Root CA>, <cert(0x127844600) s: Apple Root CA i: Apple Root CA> >
non ev score: 122 lower than 1107 <SecCertificatePathVC certs: <cert(0x127852400) s: Apple Development: alexandermomchilov@gmail.com (LCR324TQ85) i: Apple Worldwide Developer Relations Certification Authority>, <cert(0x127833200) s: Apple Worldwide Developer Relations Certification Authority i: Apple Root CA> >
non ev score: 121 lower than 1107 <SecCertificatePathVC certs: <cert(0x127852400) s: Apple Development: alexandermomchilov@gmail.com (LCR324TQ85) i: Apple Worldwide Developer Relations Certification Authority> >
completed: <SecCertificatePathVC certs: <cert(0x127852400) s: Apple Development: alexandermomchilov@gmail.com (LCR324TQ85) i: Apple Worldwide Developer Relations Certification Authority>, <cert(0x127833200) s: Apple Worldwide Developer Relations Certification Authority i: Apple Root CA>, <cert(0x127844600) s: Apple Root CA i: Apple Root CA> > details: (
            {
        },
            {
        },
            {
        }
    ) result: 1
failed to fetch /MyApp.app/Contents/XPCServices/IntermediatorXPCService.xpc/Contents/_CodeSignature/CodeRepSpecific error=-10
0x15c81e030 validating slot -5
failed to fetch /MyApp.app/Contents/XPCServices/IntermediatorXPCService.xpc/Contents/_CodeSignature/CodeTopDirectory error=-10
0x15c81e030 validating slot -2
open(/MyApp.app/Contents/XPCServices/IntermediatorXPCService.xpc/Contents/Info.plist,0x0,0x1b6) = 9
0x15c81e030 validating slot -1
guest 0x15c016188(20953) kernel status 0x72010025
0x15c81e030 validating slot -10x15c034558 loaded InfoDict 0x15b724740
0x15c034558 loaded DER blob with length 55
0x15c81e030 validating slot -7
0x15c034558 creating new CEQueryContext DER blob with length 47
0x15c034558 reconstituting XML entitlements with context 0x15c026a30
0x15c034558 desirialized size: 6
authd	0x15c034558 xml size: 235
authd	0x15c034558 done serializing <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>com.apple.security.get-task-allow</key><true/></dict></plist>
authd	guest 0x15c016188(20953) kernel status 0x72010025
authd	process: PID 20953 code requirement check failed (-67050)
authd	guest 0x15c016188(20953) kernel status 0x72010025
authd	process: PID 20953 code requirement check failed (-67050)
authd	process: PID 20953 created (sid=114139) /MyApp.app/Contents/XPCServices/IntermediatorXPCService.xpc
authd	server: registered connection (total=1)
authd	xpc: received message PID 20953, type=14
authd	xpc: received message PID 20953, type=6
authd	server: AuthorizationCreateFromExternalForm -60005
IntermediatorXPCService	after AuthorizationCreateFromExternalForm

The odd thing is, SMJobBlessUtil.py check passes just fine, and so does codesign -v:

Here's the codesign verification of the XPC service

$ codesign -dv --verbose=4 /MyApp.app/Contents/XPCServices/IntermediatorXPCService.xpc
Executable=/MyApp.app/Contents/XPCServices/IntermediatorXPCService.xpc/Contents/MacOS/IntermediatorXPCService
Identifier=ca.momchilov.IntermediatorXPCService
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=24277 flags=0x10000(runtime) hashes=747+7 location=embedded
VersionPlatform=1
VersionMin=786432
VersionSDK=786432
Hash type=sha256 size=32
CandidateCDHash sha256=95a516610c5be3d3bab46c86bcaf1765294ba48e
CandidateCDHashFull sha256=95a516610c5be3d3bab46c86bcaf1765294ba48e8d801d52ab0680202497e321
Hash choices=sha256
CMSDigest=95a516610c5be3d3bab46c86bcaf1765294ba48e8d801d52ab0680202497e321
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=1212416
Executable Segment flags=0x1
Page size=4096
CDHash=95a516610c5be3d3bab46c86bcaf1765294ba48e
Signature size=4804
Authority=Apple Development: alexandermomchilov@gmail.com (LCR324TQ85)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Nov 14, 2021 at 3:37:13 PM
Info.plist entries=24
TeamIdentifier=C5B9E4VEW7
Runtime Version=12.0.0
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=220

... and here's the codesign verification of the the helper

$ codesign -dv --verbose=4 /MyApp.app/Contents/XPCServices/IntermediatorXPCService.xpc/Contents/Library/LaunchServices/ca.momchilov.helper
Executable=/MyApp.app/Contents/XPCServices/IntermediatorXPCService.xpc/Contents/Library/LaunchServices/ca.momchilov.helper
Identifier=ca.momchilov.helper
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=8452 flags=0x10000(runtime) hashes=253+7 location=embedded
VersionPlatform=1
VersionMin=786432
VersionSDK=786432
Hash type=sha256 size=32
CandidateCDHash sha256=356bf02d7e53f0320f36ff6cc25a05ce4340231d
CandidateCDHashFull sha256=356bf02d7e53f0320f36ff6cc25a05ce4340231df807f99b3df2f74c87342907
Hash choices=sha256
CMSDigest=356bf02d7e53f0320f36ff6cc25a05ce4340231df807f99b3df2f74c87342907
CMSDigestType=2
Executable Segment base=0
Executable Segment limit=278528
Executable Segment flags=0x1
Page size=4096
CDHash=356bf02d7e53f0320f36ff6cc25a05ce4340231d
Signature size=4804
Authority=Apple Development: alexandermomchilov@gmail.com (LCR324TQ85)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Nov 14, 2021 at 3:34:11 PM
Info.plist entries=7
TeamIdentifier=C5B9E4VEW7
Runtime Version=12.0.0
Sealed Resources=none
Internal requirements count=1 size=200

Off the top of your head, do you have any trouble shooting ideas I could try?

[jakaplan]

At the point in time that your XPC helper tool performed the deserialization, did the Authorization instance still exist in your main app? If not, then the authorization no longer exists in the Security Server.

The output of SMJobBlessUtil.py check or codesign verification aren't relevant (yet) because unless I'm misunderstanding you haven't even been able to call LaunchdManager.bless(...) from your XPC helper server as you're unable to deserialize the Authorization instance. It's the bless action which has code signing requirements, not anything related to authorization.

[amomchilov]

At the point in time that your XPC helper tool performed the deserialization, did the Authorization instance still exist in your main app? If not, then the authorization no longer exists in the Security Server.

Boom. Head shot!

In the little demo app I made myself to test these waters, I had the AuthorizationRef stored statically, and never called AuthorizationFree. See, global variables can solve everything! /s ;)

The output of SMJobBlessUtil.py check or codesign verification aren't relevant (yet)

True.

[amomchilov]

What lifetime should my authorization reference?

I could (for example) have it allocated when I call requestRightsAsync, shove the result into a strong reference, and free it in the reply from my XPC service, which confirms that my XPC service finished the SMJobBless.

[jakaplan]

I could (for example) have it allocated when I call requestRightsAsync, shove the result into a strong reference, and free it in the reply from my XPC service, which confirms that my XPC service finished the SMJobBless.

That'd be perfectly reasonable. Doing that would effectively be the multi-process equivalent of authorizeAndBless(...):

Blessed/Sources/Blessed/LaunchdManager.swift

Lines 86 to 121 in ef63245

	/// Requests authorization and then submits the privileged helper tool defined by this app's
	/// [`SMPrivilegedExecutables`](https://developer.apple.com/documentation/bundleresources/information_property_list/smprivilegedexecutables)
	/// as a launchd job.
	///
	/// See ``Authorization/requestRights(_:environment:options:)`` and ``bless(label:authorization:)`` for details
	/// on this function's behavior as both are called internally.
	///
	/// Tthe value for `bless`'s `label` parameter is determined as the key for the first entry in `SMPrivilegedExecutables` if this dictionary contains
	/// exactly one entry. Otherwise ``LaunchdError/invalidExecutablesDictionary`` will be thrown.
	///
	/// - Parameters:
	/// - message: Optional message shown to the user as part of the macOS authentication dialog.
	/// - icon: Optional file path to an image file loadable by `NSImage` which will be shown to the user as part of the macOS authentication dialog.
	public static func authorizeAndBless(message: String? = nil, icon: URL? = nil) throws {
	// Request authorization for blessing
	let rights: Set<AuthorizationRight> = [AuthorizationRight.blessPrivilegedHelper]
	var environment = Set<AuthorizationEnvironmentEntry>()
	if let message = message {
	environment.insert(AuthorizationEnvironmentEntry.forPrompt(message: message))
	}
	if let icon = icon {
	environment.insert(AuthorizationEnvironmentEntry.forIcon(icon))
	}
	let options: Set<AuthorizationOption> = [.interactionAllowed, .extendRights]
	let authorization = try Authorization()
	_ = try authorization.requestRights(rights, environment: environment, options: options)
	// Bless executable
	if let executables = Bundle.main.infoDictionary?["SMPrivilegedExecutables"] as? [String : String],
	executables.count == 1,
	let firstExecutable = executables.first?.key {
	try bless(label: firstExecutable, authorization: authorization)
	} else {
	throw LaunchdError.invalidExecutablesDictionary
	}
	}

Depending on your state management (such as using a let instance variable), if it's easier for you can create an Authorization instance during initialization, call requestRightsAsync when needed, and then once the XPC Service has finished you can optionally call destroyRights() on it. That said, in most cases it'd be fine to just let the Authorization instance continue to exist without explicitly destroying its rights.

[amomchilov]

Funny enough, I was actually going to pitch the idea of moving lines 100-111 of that method into a new method, which just calls requestRightsAsync with the correct environment, so that you can later use bless separately.

[jakaplan]

Funny enough, I was actually going to pitch the idea of moving lines 100-111 of that method into a new method, which just calls requestRightsAsync with the correct environment, so that you can later use bless separately.

I'm not interested in doing this as authorizeAndBless(...) is a one-off I decided to make because it appears to be such a common use case for using the Authorization Services and Service Management frameworks together. Otherwise, the Blessed framework is meant to be a Swift wrapper/reimagining of these frameworks. The more custom use case APIs offered to do one-offs, the more confusing it'd be to use.

[amomchilov]

I agree in general, but I think if there should be an affordance for one “convenience api” for blessing an app, it should be “authorizeForBless” (temporary name), not “authorizeAndBless”. I think this because:

• the existing API encourages users to authorize and bless in the single interactive process, which means their app can’t be sandboxed, and
• you can compose “authorize” and “bless” into your own “authorizeAndBless”, but not the other way around. If this library provides and “authorizeAndBless”, there is no way to decompose it into its separate seps without just copying their code (lines 100-111)

[jakaplan]

the existing API encourages users to authorize and bless in the single interactive process, which means their app can’t be sandboxed

My understanding is authorization can only occur in a non-sandboxed app. If lines 100-111 were separately factored out, then line 111 would fail in a sandboxed app: _ = try authorization.requestRights(rights, environment: environment, options: options).

I don't see this function as encouraging authorizing and blessing in a single process, so much as when that's the case, making it easy to do so. In the single process case, this seems like the way to both authorize and bless. In a multiprocess case there's a lot of intermediate steps which could differ and go beyond the bounds of this framework.

you can compose “authorize” and “bless” into your own “authorizeAndBless”, but not the other way around. If this library provides and “authorizeAndBless”, there is no way to decompose it into its separate seps without just copying their code (lines 100-111)

I don't think someone implementing this themselves would actually copy lines 100-111, they'd just compose the few lines that are actually applicable. Without the conditional logic, that'd look something like:

let message = "Message here"
let icon = Bundle.main.url(forResource: "myIcon", withExtension: "png")!
let authorization = try Authorization()
_ = try authorization.requestRights([.blessPrivilegedHelper],
                                    environment: [.forPrompt(message: message), .forIcon(icon)],
                                    options: [.interactionAllowed, .extendRights])

Providing a convenience wrapper for such little code seems odd.

[amomchilov]

Well I might be a single data point, but for example, I didn't know that you could specify the authorization prompt/icon until I looked into the source code here.

[jakaplan]

That's a great point. I'll update documentation to make this clearer.