Archive for May 7, 2022

Saturday, May 7, 2022

JXA’s Parenthesis Paradox

Dr. Drang:

Because the name of the process is what we want to return, name has to go last in the chain of calls, and it’s the one that gets the parentheses. We’re applying the whose filter to the processes, so it has to go after processes. The properties we’re filtering on (just visible in this case) are set up as a JavaScript object that’s passed as an argument to whose.

Suppose we had two criteria for our filter? Let’s say we want all the visible processes that start with the letter M (which will return just Mail and Messages). In AppleScript, it’s easy to add an extra clause:

tell application "System Events" to get the name of every process ¬
    whose visible is true and name begins with "M"

In JXA, the syntax gets nasty:

Application('System Events').processes.whose(
    {visible: true, name: {_beginsWith: "M"}}).name();

JavaScript is nicer for basic programming and data manipulation, but Apple event stuff is much nicer in AppleScript.

Update (2022-05-10): See also: JavaScript vs. AppleScript.

Update (2022-06-10): Dr. Drang:

Next, we move on to whether JavaScript for Automation (JXA) is worth getting into at all. Do AppleScript concepts really translate well to JavaScript? The same day my last post was published, Rosemary and David released their Automators episode with Daniel Jalkut. While discussing Daniel’s FastScripts app, they had a little sidebar about JXA. Daniel doesn’t think much of it. “It just shouldn’t be there” was his most pithy comment, but he also mentioned an “impedance mismatch” between the JavaScript language and the AppleScript infrastructure underneath it. Exactly.


Finally, let’s talk about the reason I’ve used JXA for some scripts: JavaScript has a good regex engine and AppleScript has none.


Inside Code Signing Technotes

TN3125: Provisioning Profiles:

A macOS app can claim certain entitlements without them being authorized by a provisioning profile. These unrestricted entitlements include:



  • Those used to enable and configure the App Sandbox

  • Those used to configure the Hardened Runtime

In contrast, restricted entitlements must be authorized by a provisioning profile. This is an important security feature on macOS. For example, the fact that the keychain-access-groups entitlement must be authorized by a profile means that other developers can’t impersonate your app in order to steal its keychain items.


Modern systems no longer treat the profile’s property list as the source of truth. Rather, they use the binary form of the profile stored in the profile’s DER-Encoded-Profile property[…]

TN3126: Hashes:

Every now and again an issue crops up where you actually need to understand how code signing works. For example:

  • Using the Latest Code Signature Format has a diagnostic process that involves code signing hash slots. While that process is actionable in and of itself, it makes more sense if you know what those hash slots hold.

  • The issue covered by Updating Mac Software makes more sense once you understand code signing’s lazy per-page signature checking.

This technote explains how code signing uses hashes to protect the code’s executable pages, resources, and metadata from tampering. This technology is absolutely central to code signing’s core function: protecting code from malicious modification.

TN3127: Requirements:

However, in some cases requirements are important, especially on macOS. For example:

  • If you’re building an XPC service, you might want to restrict it to specific clients. The best way to do this is by setting a code signing requirement on the connection with xpc_connection_set_peer_code_signing_requirement. But what requirement to use?

  • When working with privacy-protected resources on macOS, like the microphone, you might find that the system fails to remember your choices during development.

  • You might find that the keychain presents unexpected authorization alerts when you deploy your app through a new channel, like TestFlight.


Bug Puts Apple Music in Dock

Juli Clover:

Apple Music appears to be affected by a bug that is causing the app to install itself directly into the dock when downloaded from the App Store, with the app even replacing other first and third-party apps located in the dock.


There have also been complaints that Apple Music is setting itself as the default music service when it is downloaded even if another music app was set as the default, but we have not been able to replicate this behavior.


Apple told MacRumors that it is aware of the issue and is looking into it.

Damien Petrilli:

Just like the “bug which re-enable Apple Music by itself in the settings all the time. A “bug”.

There are also longstanding bugs where users report that Software Update or Bluetooth gets switched on after an update. Most of the engineers and testers probably have all these features enabled, so preservation of the off state doesn’t get tested organically.


ISPs Ordered to Block Three Pirate Streaming Services

Jon Brodkin:

A federal judge has ordered all Internet service providers in the United States to block three pirate streaming services operated by Doe defendants who never showed up to court and hid behind false identities.

The blocking orders affect,, and, as well as related domains listed in the rulings and any other domains where the copyright-infringing websites may resurface in the future. The orders came in three essentially identical rulings (see here, here, and here) issued on April 26 in US District Court for the Southern District of New York.


The defendants are liable for copyright infringement and violated the anti-circumvention provision of the Digital Millennium Copyright Act (DMCA), the judge wrote[…]


The judge ordered domain registrars and registries to transfer the domain names to the plaintiffs.