Proper Approach to Programmatically Determine SIP State

Hello,

I have encountered several challenges related to System Integrity Protection (SIP) state detection and code signing requirements. I would like to seek clarification and guidance on the proper approach to programmatically determine the SIP state.

Here are the issues I’ve encountered:

1. XPC Code Signing Check APIs:

   • APIs like setCodeSigningRequirement and setConnectionCodeSigningRequirement do not work when SIP disabled and that's ok given what SIP is.

2. LaunchCodeRequirement API:

   • When using Process.launchRequirement, the LaunchCodeRequirement API does not function anymore when SIP disabled.
   • The IsSIPProtected requirement behaves in a way that is not clearly documented -- it appears to only apply to pre-installed Apple apps.

3. Legacy APIs:

   • Older APIs like SecCodeCheckValidity are likely to be non-functional, though I haven’t had the chance to validate this yet.

4. Private API Concerns:

   • So to mitigate those limitations I prefer my app to not even try to connect to untrusted XPC or launch untrusted Processes when SIP is disabled. The only way to determine SIP state I could find is a low-level C function csr_get_active_config. However, this function is not declared in any publicly available header file, indicating that it is a private API.
   • Since private APIs cannot be used in App Store-distributed apps and are best avoided for Developer ID-signed apps, this does not seem like a viable solution.

Given these limitations, what is the recommended and proper approach to programmatically determine the SIP state in a macOS application?

Any insights or guidance would be greatly appreciated.

Thank you!