Lazarus
Programming => Operating Systems => macOS / Mac OS X => Topic started by: Hansaplast on May 26, 2017, 03:12:31 am
-
I've done quite a bit of reading on the topic of running particular code with elevated rights.
Apple recommends using SMJobBless (link (https://developer.apple.com/library/content/samplecode/SMJobBless/Listings/ReadMe_txt.html#//apple_ref/doc/uid/DTS40010071-ReadMe_txt-DontLinkElementID_3)), but it's pretty poorly documented and whatever examples I can find rely solely intended for use with XCode. I've been struggling with this, on and off, for quite a while (see also my previous post (http://forum.lazarus.freepascal.org/index.php/topic,26982.msg166543.html#msg166543) from 2 years ago).
I'm looking for some insight and assistance to get this done with Lazarus.
I'd be even willing to pay for a good explanation and working example.
There are at least 2 applications why I'd like to use this (none of these are commercial or intended for the App Store);
1) I have created a tool that uses "dd" to read/write disk images, which requires sudo level execution,
2) I'm creating a tool to make signing apps easier, which needs elevated rights for using codesign.
Using tricks like RunCommand, TProcess etc. works for "dd", but not for "codesign" (security rejects it, even when using sudo).
In hopes to do it correctly, I assume the helpertool route is the way to go.
As I understand, I need to create basically 2 applications. The main application and the helpertool.
Both need to be signed, have a specific plist, etc etc. possibly some complex linking.
But that's as far as I have gotten ...
Is anyone capable and willing to help with this?
Again: I am willing to pay for it.
-
2) I'm creating a tool to make signing apps easier, which needs elevated rights for using codesign.
See CCRDude's package for Lazarus that adds cross-platform signing. That's a good place for it, in the IDE.
Or just run codesign in a script. That's about as easy as it gets. What particular problem are you having?
-
Thanks Phil!
I had not heard of this package, which looks like a great start.
It is however still lacking some plist and entitlements support.
Manual signing is something I already have un control though.
I basically have 2 scenario's where I think SMJobBless would be helpful;
I was actually working on a tool that allows me to edit the plist, entitlements, build a DMG, sign the application and the DMG, etc.
Kind-a doing all the work for me. It works great but the only thing I keep running into is that signing from the application keeps failing (using codesign and using spctl to verify signing the application).
I tried using sudo, AppleScript with administrator privileges, the commandline security tool, etc (through RunCommand, TProcess etc) - but they all fail since macOS considers it a security issue.
This is however not the main reason why I was looking into SMJobBless.
I have another tool (Apple Pi Baker) which currently uses TProcess and the command line to backup/restore SD cards.
It works for the vast majority of users just fine, but I'm interested in doing it more correct (anticipating issues in the future).
Reading up on elevating rights, I found that Apple recommends using SMJobBless - but the documentation out there is very limited.
Rewriting the code for "dd" is a little over my head (unless someone can point me in the right direction).
-
Kind-a doing all the work for me. It works great but the only thing I keep running into is that signing from the application keeps failing (using codesign and using spctl to verify signing the application).
I tried using sudo, AppleScript with administrator privileges, the commandline security tool, etc (through RunCommand, TProcess etc) - but they all fail since macOS considers it a security issue.
I haven't seen that you need to use sudo to run codesign on an .app bundle. What version of OS X are you on?
I do see codesign fail sometimes. Or rather, it appears to work but then spctl indicates something like "invalid signature" or "sealed resource is missing or invalid". In those cases, just running codesign again has worked for me. So it's possible that what you're seeing isn't related to a lack of privileges.
Reading up on elevating rights, I found that Apple recommends using SMJobBless - but the documentation out there is very limited.
The docs you link to above seem pretty complete. It hasn't been updated in about 4 years, but I something with a limited audience like SMJobBless probably wouldn't be updated very often.
You could try rewriting the SMJobBlessApp and SMJobBlessHelper in Objective Pascal. You would need to translate the headers for the ServiceManagement framework into ObjP to use it in the Pascal app. But that's a pretty small framework, with only 3 small header files.