Swiftpack.co - trilemma-dev/Blessed as Swift Package

Swiftpack.co is a collection of thousands of indexed Swift packages. Search packages.
See all packages published by trilemma-dev.
trilemma-dev/Blessed 0.4.0
Easy to use SMJobBless, along with a full Swift implementation of the Authorization Services and Service Management frameworks
⭐️ 9
🕓 1 week ago
.package(url: "https://github.com/trilemma-dev/Blessed.git", from: "0.4.0")

Leverage SMJobBless functionality with just one function call:

let message = "Example App needs your permission to do thingamajig."
let icon = Bundle.main.url(forResource: "bless", withExtension: "png")
try LaunchdManager.authorizeAndBless(message: message, icon: icon)

Both the message and icon parameters are optional. Defaults will be provided by macOS if they are not specified.

On macOS 10.15 and later this functionality is also available as an async variant which will not block while waiting for a user to grant (or decline) authorization.

To see a runnable sample app using this framework, check out SwiftAuthorizationSample which also makes use of SecureXPC for secure interprocess communication.


Beyond making it easy to bless a helper tool, Blessed provides a complete Swift implementation of the non-deprecated portions of macOS's Authorization Services and Service Management frameworks. At a high level this framework exposes three closely related capabilities:

  1. Requesting a user grant permission for one or more rights via macOS's Security Server
  2. Defining custom rights in the Policy Database
  3. Using launchd to install helper tool executables which will run with root privileges

For completeness the Service Management capability to enable and disable login items via launchd is also included; see LaunchdManager.enableLoginItem(forBundleIdentifier:) and LaunchdManager.disableLoginItem(forBundleIdentifier:).


In some more advanced circumstances you may to want directly interact with macOS's Security Server via the Authorization class.

If you only need to check if a user can perform an operation, use checkRights(_:environment:options:) without needing to create an Authorization instance.

Otherwise you'll typically want to initialize an instance via init() and then subsequently request rights with requestRights(_:environment:options:) or requestRightsAsync(_:environment:options:callback:).

Defining Custom Rights

macOS's authorization system is built around the concept of rights. The Policy Database contains definitions for all of the rights on the system and your application can add its own.

If an application defines its own rights it can then use these to self-restrict functionality. For details on why you might want to do see, consider reading Apple's Technical Note TN2095: Authorization for Everyone although keep in mind the code samples shown are not applicable if you are using this Swift implementation.

To define a custom right:

let myCustomRight = AuthorizationRight(name: "com.example.MyApp.special-action")
let description = "MyApp would like to perform a special action."
let rules: Set<AuthorizationRightRule> = [CannedAuthorizationRightRules.authenticateAsAdmin]
try myCustomRight.createOrUpdateDefinition(rules: rules, descriptionKey: description)

The above example creates a right called "com.example.MyApp.special-action" which requires that the user authenticate as an admin. How exactly the user does so is up to macOS; your application does not concern itself with this. (At the time of this documentation being written this means the user needing to type in a password, but in the future Apple could for example update their implementation of the authenticateAsAdmin rule to use Touch ID.) When the user is asked to authenticate they will see the message "MyApp would like to perform a special action."

There are several optional parameters not used in this example, see the documentation for details.

If you need to create a rule which is not solely composed of already existing rules, you must create an authorization plug-in, which is not covered by this framework. See Using Authorization Plug-ins for more information.


Most of this framework is not available to sandboxed processes because of privilege escalation.

The exceptions to this are:

  • reading or existence checking a right definition in the Policy Database
  • enabling or disabling a login item

If you need to determine at run time if your process is sandboxed, this framework adds a property to ProcessInfo: ProcessInfo.processInfo.isSandboxed.


Stars: 9
Last commit: 1 week ago
jonrohan Something's broken? Yell at me @ptrpavlik. Praise and feedback (and money) is also welcome.

Release Notes

1 week ago

This release changes both the external sandbox check API as well as its internal implementation.

Breaking changes

  • The function NSApplication.shared.isSandboxed() has been removed and replaced with the ProcessInfo.processInfo.isSandboxed property.

Swiftpack is being maintained by Petr Pavlik | @ptrpavlik | @swiftpackco | API | Analytics