How to set `com.apple.developer.driverkit.transport.usb` entitlement? - usb

I am unsure about how to set the com.apple.developer.driverkit.transport.usb key in my dext entitlements file. The Info.plist file already contains the IOKitPersonalities dictionary, and reading about the com.apple.developer.driverkit.transport.usb dictionary it looks like it should contains entries with the same information as the entries of IOKitPersonalities.
The entitlements file for a project that is very similar to what is being shown in the WWDC video about driver kit sets this to:
<key>com.apple.developer.driverkit.transport.usb</key>
<true/>
When I set it to <true/>, the system extension starts. I do see some lines like this before I see log lines from the app:
...
2020-05-06 12:23:19.229709+0200 0x51ac2 Default 0x0 0 0 kernel: DK: IOUserServer(sc.example.MyUserUSBInterfaceDriver-0x100002aad)::exit(CDHash check failed)
Should this entitlement just reflect what is in the IOKitPersonalities dictionary?
With the key completely removed I get:
...
2020-05-06 12:23:19.229709+0200 0x51ac2 Default 0x0 0 0 kernel: DK: IOUserServer(sc.example.MyUserUSBInterfaceDriver-0x100002aad)::exit(CDHash check failed)
2020-05-06 12:23:19.253517+0200 0x51ac2 Default 0x0 0 0 kernel: DK: IOUserServer(sc.example.MyUserUSBInterfaceDriver-0x100002aae)::exit(Entitlements check failed)
.. so I guess the key must be there.
I am viewing log lines related to the app with log stream --source | grep MyUserUSBInterfaceDriver

Updated answerAs I have shipped some USB DriverKit based drivers, I've found that in practice it's slightly different than I originally stated in the answer, although my original answer matched Apple's documentation.
Although Apple mentions both Product ID and Vendor ID in the documentation for the USB transport entitlement, in practice only the vendor ID is relevant for entitlements/code signing purposes. This means that if your driver needs to support any number of USB devices with vendor IDs 1234 and 2345 (Decimal! Usual notation for vendor IDs is hex, so don't forget to convert first!) you will need to include the following in your dext's entitlements:
<key>com.apple.developer.driverkit.transport.usb</key>
<array>
<dict>
<key>idVendor</key>
<integer>1234</integer>
</dict>
<dict>
<key>idVendor</key>
<integer>2345</integer>
</dict>
</array>
To be clear, that means the entitlement must be of the type array -> dictionaries, even if you only need to support one vendor ID.
The idVendor values listed must also be embedded in your provisioning profile by Apple, which is why you must include them when you apply for DriverKit entitlements. Note that the form only supports a single vendor ID, so if you need to support more than one you must list them all in the free-form text field.
Update 2:
Since mid/late 2022 Apple has been making certain DriverKit entitlements available to all members of the dev programme without special application, for development signing only. This includes the USB transport entitlement. The “free” version of this is in a wildcard form and consists of the string “*” instead of a number. When using a provisioning profile with this version of the entitlement, your dext’s entitlement file will also need to use the asterisk.
Platforms
Although the documentation (which we have established above is also incorrect in other ways) only mentions macOS, this entitlement is also needed for developing and deploying USBDriverKit based drivers for iPadOS. Make sure to request it for all platforms relevant to your project when applying. The previous paragraph about the self-service wildcard development-only entitlement applies to iPadOS in all regards as well.

Related

Core Media plug-in identifier

I have created a CMIO (CoreMediaIO) plug-in for OS X that can access media hardware (in my case a virtual camera) using as the basis the Apple's example with SDK. Everything works perfectly but now before releasing I came across the problem of getting the unique media plug-in identifier:
There is not really much the documentation for CoreMedia.framework in general, and I'm curious is there a way to get this unique plug-in identifier in some shared database or something?
So eventually I used TSIs and got the next response from Apple:
As long as you’re properly generating the
UUID, nothing else is required to ensure uniqueness. The generation process
itself guarantees uniqueness. As for generating the UUID, the command line
tool “uuidgen” can take care of that:
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/uuidgen.1.html

How to determinate if agent/daemon has disabled or enabled state on OSX 10.6?

I need to determinate which agents and daemons are disabled on my OSX. Each process has plist file with parameters. I assume "Disabled" key is responsible for that. But not all agents/daemons has this value. So if property list doesn't contain this paramater it means it's disabled or enabled? I didn't find any info regarding default value for this item.
Please provide a reference to apple's documentation which proof it.
The "Disabled" keys in each LaunchDaemon file can be overridden by an entry in /private/var/db/launchd.db/com.apple.launchd/overrides.plist, and there's a similar system for LaunchAgents in /private/var/db/launchd.db/com.apple.launchd.peruser.userID/overrides.plist. I don't think Apple has documented this anywhere, which means that you are not expected to interact directly with these files, just use launchctl. It also means they're subject to change (i.e. it didn't always work this way and might change without notice in a later version of OS X). Also, the file for LaunchDaemons is only readable by root.

Is there any private api to monitor network traffic on iPhone?

I need to implement an app that monitors inbound/outbound connections by different apps on iPhone. my app is going to run in background using apple's background multitasking feature for voip and navigators.
I can use private api as my client doesn't need this app on appstore.
Thanks.
I got through this.
I didn't need any private Api to get information of inbound/outbound active connections.
Its just you need to know basic C programming and some patience.
I wrote to apple dev forums regarding this,and got response as-
From my perspective most of what I have to say about this issue is covered in the post referenced below.
<https://devforums.apple.com/message/748272#748272>>
The way to make progress on this is to:
o grab the relevant headers from the Mac OS X SDK
o look at the Darwin source for netstat to see how the pieces fit together
WARNING: There are serious compatibility risks associated with shipping an app that uses this technique; it's fine to use this for debugging and so on, but I recommend against shipping code like this to end users.
What I did step by step is -
1)downloaded code of netstat from BSD opensource -
2)add this to your new iphone project.
3)see,some header files are not present in ios sdk so you need take it copied from opensource.apple.com and add those in your iphone sdk at relevant path under-
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk/usr/include
My xcode version is 4.5.2. so this is path relevent to my xcode. you can have different path according to versions of xcodes.Anyway. and remember to add those headers in both iosSdk & iOSSimulatorSdk both so that code will work on device as well as on simulator.
4)you may find some minor errors in netstat code relating not finding definitions of some structures in header files.e.g " struct xunpcb64 " .dont wory. definitions are present there.you need to comment some "#if !TARGET_OS_EMBEDDED" #else in those header files so that ios sdk can reach in those if condition and access the definition.(need some try and error.be patient.)
5)finally you will be abe to compile your code.Cheers!!
In case you haven't seen this already, I have used it successfully on my iPhone.
https://developer.apple.com/library/ios/ipad/#qa/qa1176/_index.html
I realize it is not exactly what you want.
Generally, I agree with Suneet. All you need is network sniffer.
You can try to do partial port of WireShark (it's open source and it works on MacOS) to iOS. Both iOS and OS X share most part of the kernel, so if it's not explicitly prohibited on iOS, it should work for you.
WireShark is quite big product, so you may be intersted to look for another open source network sniffer which work on OS X.

Refactoring/renaming Ocean Workstep derivative classes

It seems that once an Ocean Workstep derivative class has been released to production (and is used by clients), its name, namespace and assembly name are effectively locked for future updates (in order to ensure backwards compatibility).
When a Petrel project is saved, workstep references are saved as a full type name (namespace, class, strong assembly name) inside the binary file Classes.ptd. During loading, if the exact type name (assembly version seems to be ignored) can't be resolved, the workstep appears as "workstep not available" in the workflow editor.
In other instances of binary serialization we've encountered, Petrel makes use of the SerializationBinder registered with PetrelSystem.ProjectSerializationService - not so for Workstep instances.
Is there any other way to facilitate Workstep class/namespace/assembly renames?
Why is this behaviour so poorly documented (if at all)? Have we misunderstood something?
This issue will actually be fixed with the Ocean 2012.1 API. The workstep reference will not include the version number anymore: Both workstep and process serialization is cleaned up. Version number is not serialized (and not used on deserialization) and a UniqueId can be used instead of the type name.
Here is an extract of the 2012.1 Ocean release notes on the subject.
Process and Workstep Unique Id
Namespace: Slb.Ocean.Petrel.Workflow
Processes and worksteps created through Ocean did not have a proper identifier until now. They were identified by their full type name including the version number which means that their identifier could change, for instance, if:
- The version number of the plug-in assembly was increased (e.g. new plug-in install).
- The process/workstep class was moved to a new assembly.
- The namespace of the process/workstep class was changed.
This could cause issues in Petrel such as the display of a “broken link” instead of the process name in the Favorites tree or a workstep appearing as "workstep not available" in the workflow editor.
To solve this, Ocean has removed the version number from the process and workstep identifier and is delivering a new API to support a user defined identifier for custom processes and worksteps which will be unique across the Petrel application. Any process/workstep created through Ocean should now implement a unique identifier.
Please refer to:
- Process.UniqueId to define unique identifier for processes
- Workstep.UniqueId to define unique identifier for worksteps.
The new API also offers backward compatibility support for already serialized processes/worksteps and a few changes in the serialization logic. When a legacy project is being opened the old-style ids are automatically replaced by new ids during deserialization.
Best Regards,
Gaelle

Verifying app's signature by code [duplicate]

This question already has answers here:
How to obtain codesigned application certificate info
(2 answers)
Closed 8 years ago.
I have app signed. I created an identity and used codesign to sign my app as per Apple's Code Signing Guide.
Now, how do I check the signature from within my application?
I need to verify this on Cocoa apps (Objective-C) and apps written in C.
You could use NSTask and run "codesign --verify" and check the exit status. Of corse if the program was altered it could be altered to remove the check, so I'm not sure what that buys you.
If you are not worried about directed tampering (like the kind that might remove your check of the signature) you can use the codesign "kill" option, if you do merely executing means the signature is valid (at least for all pages that have been executed so far...but if a not-yet-resident page has been tampered with you will get killed when that one is read in anyway).
Maybe if you could explain a little more about why you want to verify the signature a better answer could be formed.
Note: Currently MacOS X does not verify signed code prior to execution. This may be different for sandboxed code, and it would seem sensible that it is otherwise anybody could edit the entitlements.
To check an applications signature from within the application itself you use the Code Signing Services. In particular look at SecCodeCheckValidity. The code to do the checking is not long, but there is quite a bit to understand so I won't give a code sample - you need to read and understand the documentation.
Checking the signature allows your application to detect changes to its code & resources and report it is "damaged" (it may well be, not all changes are malicious) and refuse to run. Adding such code does not of course guarantee your code is not damaged, but certainly it does raise the barrier higher against intentional damage (and if MacOS X starts doing the check itself then there will be a big win).
The way signiture verification is implemented on iOS is that when an application is being launched, the launchd daemon decrypts the binary using that device's specific private key (this is why you can't just decompile apps or copy-paste them from one device to another), if the decryption fails, the application fails to launch.
The native tools that do this are not available within applications due to the iOS sandboxing.
If you're simply attempting to track if someone has modified your binary, you can perform an MD5 or SHA1 hash of it, store it in NSUserDefaults and compare it at each app start. If the hash changes between executions you know it has been modified (possibly by a legitimate application update or possibly nefariously.)
Here's an example on how to get the hash of an NSData.
The binary file you're looking for is: AppName.app/AppName