Use pure Swift to easily and securely communicate with XPC services and XPC Mach services. A client-server model
enables you to use your own Codable
conforming types to
send requests to routes you define and receive responses.
SecureXPC uses Swift concurrency on macOS 10.15 and later allowing clients to make non-blocking asynchronous requests to servers. A closure-based API is also available providing compatibility back to OS X 10.10.
This framework is ideal for communicating with helper tools installed via
SMJobBless
. It's built with
security in mind, minimizing the opportunities for
exploits. Server-side security checks are performed
against the actual calling process instead of relying on PIDs which are known to be
insecure.
The envisioned pattern when using this framework is to define routes in a shared file, create a server in one program (such as a helper tool) and register these routes, then from another program (such as an app) create a client and send requests to these routes.
In a file shared by the client and server define one or more routes:
let route = XPCRoute.named("bedazzle")
.withMessageType(String.self)
.withReplyType(Bool.self)
In one program retrieve a server, register those routes, and then start the server:
...
let server = <# server retrieval here #>
server.registerRoute(route, handler: bedazzle)
server.startAndBlock()
}
private func bedazzle(message: String) throws -> Bool {
<# implementation here #>
}
On macOS 10.15 and later async
functions and closures can also be registered as the handler for a route.
There are multiple types of servers which can be retrieved:
XPCServer.forThisXPCService()
- For an XPC service, which is a private helper tool available only to the main application that contains it
XPCServer.forThisBlessedHelperTool()
- For a helper tool installed via
SMJobBless
- To see a sample app for this use case, check out SwiftAuthorizationSample
- For a helper tool installed via
XPCServer.forThisMachService(named:clientRequirements:)
- For
Launch Daemons and Agents
as well as more advanced
SMJobBless
helper tool configurations
- For
Launch Daemons and Agents
as well as more advanced
XPCServer.makeAnonymous()
- Typically used for testing purposes
XPCServer.makeAnonymous(clientRequirements:)
- Enables applications not managed by
launchd
to communicate with each other, see documentation for more details
- Enables applications not managed by
In another program retrieve a client, then send a request to a registered route:
let client = <# client retrieval here #>
let reply = try await client.sendMessage("Get Schwifty", to: route)
Closure-based variants are available for macOS 10.14 and earlier:
let client = <# client retrieval here #>
client.sendMessage("Get Schwifty", to: route, withResponse: { result in
switch result {
case .success(let reply):
<# use the reply #>
case .failure(let error):
<# handle the error #>
}
})
There are multiple types of clients which can be retrieved:
XPCClient.forXPCService(named:)
- For communicating with an XPC service
- This corresponds to servers created with
XPCServer.forThisXPCService()
XPCClient.forMachService(named:)
- For communicating with an XPC Mach service
- This corresponds to servers created with
XPCServer.forThisBlessedHelperTool()
orXPCServer.forThisMachService(named:clientRequirements:)
XPCClient.forEndpoint(_:)
- This is the only way to communicate with an anonymous server
- This corresponds to servers created with
XPCServer.makeAnonymous()
orXPCServer.makeAnonymous(clientRequirements:)
- It can also be used with an XPC Mach service
SecureXPC uses types conforming to Swift's Codable
protocol to serialize data across the XPC connection. Due to the
nature of how Codable
is defined, it is not possible for the same instance to be referenced from multiple other
deserialized instances. This is in contrast to how
NSSecureCoding
behaves, which is used by
NSXPCConnection
for serialization.
While there are considerable similarities between these two serialization protocols, there is a significant difference
in how deserialization occurs. A Codable
conforming type is always decoded via its
initializer with no possibility of
substitution. In contrast, an NSSecureCoding
conforming type may use
awakeAfter(using:)
to substitute
in an already initialized instance.
While Codable
can be implemented by any type, in practice value types such as struct
and enum
are the most natural
fit. The aforementioned deserialization behavior is by definition not applicable to value types.