我们需要在Macbook Pro平台上的安全区域的cli接口，以实现自定义扩展程序，以openvpn标识与vpn客户端连接的计算机。我们找不到用于访问安全区域的cli工具，就像 security 对 keychain 一样。当我们尝试在Xcode（基于EllipticCurveKeyPair）中自己实现MacOS命令行工具时，尝试在命令行工具中创建密钥对会导致错误，可在此处查看：

https://www.osstatus.com/search/results?platform=all&framework=all&search=-34018

表示命令行工具缺少访问安全区域所需的权利。现在，我们面临为命令行目标配置所需权利的问题。似乎不可能将权限分配给命令行工具目标

尝试使用生成新密钥对时发生错误

SecKeyGeneratePair(query as CFDictionary,&publicOptional,&privateOptional)

，其中publicOptional和private Optional为nil，查询字典为

([String : Any]) $R7 = 4 key/value pairs {
[0] = {
key = "private"
value = 5 key/value pairs {
  [0] = {
    key = "perm"
    value = true
  }
  [1] = {
    key = "accc"
    value = 0x00000001020ebc10 {}
  }
  [2] = {
    key = "u_AuthCtx"
    value = 0x0000000102400020 {
      ObjectiveC.NSObject = {
        isa = LAContext
      }
    }
  }
  [3] = {
    key = "labl"
    value = "no.agens.sign.private"
  }
  [4] = {
    key = "u_AuthUI"
    value = 0x00007fff9b492b28 {
      base__NSCFString@0 = {
        baseNSMutableString@0 = {
          baseNSString@0 = {
            baseNSObject@0 = {
              isa = __NSCFConstantString
            }
          }
        }
      }
    }
  }
}
}
[1] = {
key = "type"
value = "73"
}

在控制台中，我们发现与Xcode报告一致的错误消息：

default 14:56:14.226372 +0100 secd  SecTool[29214]/1#1 LF=0 add Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier,com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={NSDescription=Client has neither com.apple.application-identifier,com.apple.security.application-groups nor keychain-access-groups entitlements}

当未在“应用​​程序沙箱”中运行命令行工具时，发生以上错误。在此线程中，我们看到一个警告，请不要在应用程序沙箱https://eclecticlight.co/2019/06/13/building-and-delivering-command-tools-for-catalina/#comment-41763中运行命令行工具。

无论如何，当我们配置命令行工具目标以在“应用程序沙箱”中运行时，会出现此错误：

0x7fff6ac3bb5e <+1981>: callq  0x7fff6ac3c3fe            ; symbol stub for: __snprintf_chk
0x7fff6ac3bb63 <+1986>: leaq   0x111e(%rip),%r8         ; "Sandbox creation failed: %s"
0x7fff6ac3bb6a <+1993>: movl   $0x800,%esi              ; imm = 0x800 
0x7fff6ac3bb6f <+1998>: movl   $0x0,%edx
0x7fff6ac3bb74 <+2003>: movl   $0x800,%ecx              ; imm = 0x800 
0x7fff6ac3bb79 <+2008>: xorl   %eax,%eax
0x7fff6ac3bb7b <+2010>: leaq   -0x880(%rbp),%rbx
0x7fff6ac3bb82 <+2017>: movq   %rbx,%rdi
0x7fff6ac3bb85 <+2020>: movq   %r13,%r9
0x7fff6ac3bb88 <+2023>: callq  0x7fff6ac3c3fe            ; symbol stub for: __snprintf_chk
0x7fff6ac3bb8d <+2028>: movq   %r14,0x3668b68c(%rip)    ; gCRAnnotations + 16
0x7fff6ac3bb94 <+2035>: movq   %rbx,0x3668b67d(%rip)    ; gCRAnnotations + 8
->  0x7fff6ac3bb9b <+2042>: ud2    =>Thread 1: EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP,subcode=0x0)
0x7fff6ac3bb9d <+2044>: xorl   %edi,%edi
0x7fff6ac3bb9f <+2046>: callq  0x7fff6ac3c446            ; symbol stub for: exit

似乎是在初始化应用程序沙箱时无法识别的某些错误。无论如何，我们仍然在〜/ ​​library / Containers / OurSecTool中找到一个容器文件夹，其中包含一个Data文件夹，但没有Container.plist文件。在这种情况下，我们无法在控制台应用程序中找到相关消息。

我们正在使用Apple提供的开发证书对代码进行签名。当我们手动签名代码以提供keychain-access-group权利时，命令行工具将在启动时失败，并记录错误“ Killed：9”。

在Xcode中实现可以与安全区域连接的命令行工具的正确方法是什么？ 或者，作为一种替代方法，MacOS中是否有任何命令行命令支持创建密钥对，基于安全区域的签名和加密？

为了防止其他人走这条路，以下是我们在研究过程中回顾的一些资源：

• Apple App Sandbox概述和详细信息https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AboutAppSandbox/AboutAppSandbox.html
• 深度https://developer.apple.com/library/archive/technotes/tn2206/_index.html的MacOS代码签名
• MacOS权利列表https://developer.apple.com/documentation/bundleresources/entitlements
• 为目标https://help.apple.com/xcode/mac/current/#/dev88ff319e7添加功能
• 支持的功能（macOS）https://help.apple.com/developer-account/#/devadf555df9
• 创建，导出和删除签名证书https://help.apple.com/xcode/mac/current/#/dev154b28f09?sub=devd6ad10e16
• 代码签名任务https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
• macOS代码深入https://developer.apple.com/library/archive/technotes/tn2206/_index.html签名
• 内部代码签名https://www.objc.io/issues/17-security/inside-code-signing/
• iPhone开发101 https://www.idev101.com/
• 将密钥存储在安全的区域https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave?language=objc
• 从用户角度出发的有关代码签名的系列
• https://eclecticlight.co/2019/06/13/building-and-delivering-command-tools-for-catalina/
• https://eclecticlight.co/2019/01/15/code-signing-for-the-concerned-1-why/
• https://eclecticlight.co/2019/01/16/code-signing-for-the-concerned-2-creating-a-personal-certificate/
• https://eclecticlight.co/2019/01/31/code-signing-for-the-concerned-6-signing-scripts-and-command-tools/
• https://eclecticlight.co/2019/06/13/building-and-delivering-command-tools-for-catalina/
• MacOS App编程指南https://developer.apple.com/library/archive/documentation/General/Conceptual/MOSXAppProgrammingGuide/Introduction/Introduction.html
• https://blog.fleetsmith.com/tcc-a-quick-primer/
• https://lapcatsoftware.com/articles/hardened-runtime-sandboxing.html
• https://developer.apple.com/library/archive/documentation/Security/Conceptual/AppSandboxDesignGuide/AppSandboxInDepth/AppSandboxInDepth.html
• https://opensource.apple.com/source/security_systemkeychain/security_systemkeychain-55202/src/codesign.cpp.auto.html
• Darth Null和…信息安全，安全的地区https://darthnull.org/security/2018/05/31/secure-enclave-ecies/
• Darth Null和…信息安全，使用TouchID和Tidas https://darthnull.org/security/2016/02/10/tidas-auth/的移动应用程序身份验证
• https://eclecticlight.co/2019/06/13/building-and-delivering-command-tools-for-catalina
• https://twocanoes.com/adding-a-command-line-tool-helper-to-a-mac-app-store-app/
• https://dev.to/ceri_anne_dev/how-to-make-a-command-line-tool-in-xcode-2f81