Ok, so the code to do the code sign check I am using is below. Furthermore, I
have my version of the SMJobBless app with these checks at:
http://ericgorr.net/cocoadev/SMJobBless.zip
The only remaining question is whether or not there is a better way or whether
the code-sign check is necessary?
if ( currentVersion == installedVersion )
{
SecRequirementRef requirement;
OSStatus stErr;
stErr = SecRequirementCreateWithString( CFSTR( "identifier
com.apple.bsd.SMJobBlessHelper and certificate leaf[subject.CN] = \"Joe
Developer\"" ), kSecCSDefaultFlags, &requirement );
if ( stErr == noErr )
{
SecStaticCodeRef staticCodeRef;
stErr = SecStaticCodeCreateWithPath( (CFURLRef)installedPathURL,
kSecCSDefaultFlags, &staticCodeRef );
if ( stErr == noErr )
{
stErr = SecStaticCodeCheckValidity( staticCodeRef,
kSecCSDefaultFlags, requirement );
needToInstall = NO;
}
}
}
On Sep 30, 2011, at 4:27 PM, Eric Gorr wrote:
> Well, it turned out to be not that bad to check the version numbers. The
> trick was to use CFBundleCopyInfoDictionaryForURL so one could get the
> info.plist from the helper tool. In any case, for those who might be
> interested, I have included the code below I used to check the installed
> helper tool vs. the current helper tool version for the SMJobBless sample
> application. If there is a better way, I would be interested.
>
> I suppose one more additional check that might need to be made is to verify
> that a connection to the tool can actually be made if the versions do match.
> It would seem possible that a different tool with the same name and version
> might exist. So, it would seem to be a good idea to check the signing
> requirement for the helper tool. In the case of the SMJobBless sample code,
> this is what I have so far:
> Or, is this check not necessary?
>
>
> -----
> -----
>
> NSDictionary* installedHelperJobData = (NSDictionary*)SMJobCopyDictionary(
> kSMDomainSystemLaunchd, (CFStringRef)@"com.apple.bsd.SMJobBlessHelper" );
> BOOL needToInstall = YES;
>
> if ( installedHelperJobData )
> {
> NSLog( @"helperJobData: %@", installedHelperJobData );
>
> NSString* installedPath = [[installedHelperJobData
> objectForKey:@"ProgramArguments"] objectAtIndex:0];
> NSURL* installedPathURL = [NSURL
> fileURLWithPath:installedPath];
>
> NSDictionary* installedInfoPlist =
> (NSDictionary*)CFBundleCopyInfoDictionaryForURL( (CFURLRef)installedPathURL );
> NSString* installedBundleVersion = [installedInfoPlist
> objectForKey:@"CFBundleVersion"];
> NSInteger installedVersion = [installedBundleVersion
> integerValue];
>
> NSLog( @"installedVersion: %ld", (long)installedVersion );
>
> NSBundle* appBundle = [NSBundle mainBundle];
> NSURL* appBundleURL = [appBundle bundleURL];
>
> NSLog( @"appBundleURL: %@", appBundleURL );
>
> NSURL* currentHelperToolURL = [appBundleURL
> URLByAppendingPathComponent:@"Contents/Library/LaunchServices/com.apple.bsd.SMJobBlessHelper"];
> NSDictionary* currentInfoPlist =
> (NSDictionary*)CFBundleCopyInfoDictionaryForURL(
> (CFURLRef)currentHelperToolURL );
> NSString* currentBundleVersion = [currentInfoPlist
> objectForKey:@"CFBundleVersion"];
> NSInteger currentVersion = [currentBundleVersion
> integerValue];
>
> NSLog( @"currentVersion: %ld", (long)currentVersion );
>
> if ( currentVersion == installedVersion )
> {
> needToInstall = NO;
> }
> }
>
>
> On Sep 30, 2011, at 3:09 PM, Eric Gorr wrote:
>
>> So, it looks like one can call SMJobCopyDictionary with
>> kSMDomainSystemLaunchd and, in the case of the SMJobBless sample code,
>> com.apple.bsd.SMJobBlessHelper to determine whether or not the helper tool
>> has been installed.
>>
>> What I am still not sure about is how to check the version number of the
>> tool to see if I need to call SMJobBless again to update the helper tool.
>>
>> I suppose I could encode the version in the label of the tool. So, in the
>> case of the SMJobBless code, one might have:
>>
>> com.apple.bsd.SMJobBlessHelper.3
>>
>> or something, but I'm guessing there is a better solution then this.
>>
>>
>>
>> On Sep 30, 2011, at 1:53 PM, Eric Gorr wrote:
>>
>>> That's interesting.
>>>
>>> So, how would one go about checking to see whether or not SMJobBless needed
>>> to be called?
>>>
>>> I suppose one would need to check the version number of the installed job
>>> vs. the one in the application package.
>>>
>>> I also suppose one would also try to connect with the helper tool and, if
>>> that fails, then call SMJobBless.
>>>
>>>
>>>
>>> On Sep 30, 2011, at 1:40 PM, Kyle Sluder wrote:
>>>
>>>> On Sep 30, 2011, at 10:05 AM, Eric Gorr <[email protected]> wrote:
>>>>
>>>>> On Sep 30, 2011, at 1:00 PM, Jean-Daniel Dupas wrote:
>>>>>
>>>>>> As I understand it, you have to bless the job only once, not at each
>>>>>> launch, so you shouldn't have to request the authorization each time.
>>>>>
>>>>> It would be interesting if that is how it actually works, but I am quite
>>>>> certain it doesn't work that way.
>>>>
>>>> It does. SMJobBless submits a blessed plist to launchd. It does not do
>>>> one-off jobs. You use once it to install a privileged launchd task that
>>>> you can talk to in the future.
_______________________________________________
Cocoa-dev mailing list ([email protected])
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com
This email sent to [email protected]
