From f114ecbe6bc2b22ac3c1564e6eacc0700c3a55f5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Cie=C5=9Blak?= Date: Mon, 29 Jul 2024 16:26:25 +0200 Subject: [PATCH] Adjust message for errXPCConnectionCodeSigningRequirementFailure --- lib/vnet/daemon/client_darwin.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/vnet/daemon/client_darwin.go b/lib/vnet/daemon/client_darwin.go index 9c53d8a7ee580..56775166e8d95 100644 --- a/lib/vnet/daemon/client_darwin.go +++ b/lib/vnet/daemon/client_darwin.go @@ -320,7 +320,15 @@ func startByCalling(ctx context.Context, bundlePath string, config Config) error } if errorDomain == nsCocoaErrorDomain && errorCode == errorCodeNSXPCConnectionCodeSigningRequirementFailure { - errC <- trace.Wrap(errXPCConnectionCodeSigningRequirementFailure, "the daemon does not appear to be code signed correctly") + // If the client submits TELEPORT_HOME to which the user doesn't have access, the daemon is + // going to shut down with an error soon after starting. Because of that, macOS won't have + // enough time to perform the verification of the code signing requirement of the daemon, as + // requested by the client. + // + // In that scenario, macOS is going to simply error that connection with + // NSXPCConnectionCodeSigningRequirementFailure. Without looking at logs, it's not possible + // to differentiate that from a "legitimate" failure caused by an incorrect requirement. + errC <- trace.Wrap(errXPCConnectionCodeSigningRequirementFailure, "either daemon is not signed correctly or it shut down before signature could be verified") return }