This is an example application to demonstrate how to use a privileged helper tool with authentication in Swift 3.0.
Please undestand the code and improve and customize it to suit your needs and your application. The example code contain minimal error handling and can be improved in many ways.
-
Tool and language versions
This project was created and only tested using Xcode Version 8.1 (8B62) and Swift 3.0. -
Developer Certificate
To use a privileged helper tool the application and helper has to be signed by a valid deverloper certificate.
I'm using manual signing with a Developer ID certificate in the application, so the guide will assume that setup. -
SMJobBlessUtil
The python tool for verifying signing of applications using SMJobBless included in the SMJobBless example project is extremely useful for troubleshooting signing issues.
Dowload it here: SMJobBlessUtil.py
Use it like this: ./SMJobBlessUtil.py check /path/to/MyApplication.app
To test the project, you need to update it to use your own signing certificate.
- Select the project in the navigator.
- For both the application and helper targets:
- Change the signing Team to your Team.
- Find the OU of the Developer ID certificate you selected in the application:
$ grep DevelopmentTeam /path/to/SwiftPrivilegedHelper/MyApplication.xcodeproj/project.pbxproj
DevelopmentTeam = Y7QFC8672N;- For both the application and helper Info.plist:
- Replace the OU with your own in Tools owned after installation and Clients allowed to add and remove tool respectively.
Build and test the application.
Use SMJobBlessUtil.py and correct all issues reported until it doesn't show any output.
The helper is installed by using SMJobBless.
When installed, you can enter a directory path in the text field at the top and select to run the /bin/ls command (with the entered path as argument) using the helper tool with or without requiring authorization.
The application caches the authorization reference which means that you only have to authorize that action once until you press the "Destroy the cached authorization reference" or restart the application.
This behaviour can easily be changed to either require authrization every time, after x seconds or never.
Links to documentation on the authorization system on macOS.