iCloud Password – Fix iCloud Password Prompt Issue

icloudmacossleep-wake

On my Yosemite OSX machine I often get an ICloud prompt after awaking from sleep or after a reboot like this

enter image description here

what program is causing this? Is it a valid Apple one or one trying to get my password?

I have not knowingly set an app-specific password.

and in normal use ie not just after awake I got the box again but a more interesting log

24/03/2016 11:51:12.488 identityservicesd[8431]: [Warning] Registration failed for Registration info (0x7ff8e1435230): [Registered: NO] [Type: AppleID] [Device Name: (null)] [Service Type: com.apple.private.alloy.maps] [Env: (null)] [Main ID: example@mac.com] [Phone Number: example@mac.com] [AppleID: example@mac.com] [UserID: E: example@mac.com] [C2K: NO] [Push Token: <f72dd563 26eccf96 f9e058ca b26ff2b7 fa67c0e9 e7b8e17e a9c86f31 c8d5f217>] [Region ID: R:GB] [Base Number: +440000000000] [URIs: ()] [Candidates: (example@mac.com, example@icloud.com, example@me.com)] [Auth Cert: 0x0] [Reg Cert: 0x0] [Profile ID: D:53092237] [Auth User ID: (null)] [Heartbeat Date: (null)]   (Error: 0)

From that list of contacts it does look message related but still what proof is that this is from Apple and note my Message does not work even if I provide a password(see other question)

Best Answer

The process displaying the iCloud Password window on OS X Yosemite is: 

/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter

The way to confirm: navigate to and read the contents of the answers under this question on SuperUser:

  • The first one contains a link to a blog post describing a way to debug the very same problem (iCloud Password window). Author suggests running the following script and moving the window in question with a mouse/trackpad. The script discovers position change and prints the details of a window that was moved.

    #!/usr/bin/env python

import time
from Quartz import CGWindowListCopyWindowInfo, kCGWindowListExcludeDesktopElements, kCGNullWindowID
from Foundation import NSSet, NSMutableSet

wl1 = CGWindowListCopyWindowInfo(kCGWindowListExcludeDesktopElements, kCGNullWindowID)
print 'Move target window'
time.sleep(5)
wl2 = CGWindowListCopyWindowInfo(kCGWindowListExcludeDesktopElements, kCGNullWindowID)

w = NSMutableSet.setWithArray_(wl1)
w.minusSet_(NSSet.setWithArray_(wl2))
print '\nList of windows that moved:'
print w
print '\n'

  • The other answer points to a github project mac_list_windows_pids with a Python script that lists currently active windows and their processes. You can run it twice with the iCloud Password window active and after closing, save the results to text files and diff them.

Both scripts in my case pointed to UserNotificationCenter process, which after ps -ef revealed the following executable: 

/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter

For ultimate confirmation you can check if the window would disappear after:

$ pkill UserNotificationCenter

Next you can check the validity of the app's signature using the following command:

$ codesign --verify --no-strict -vvvv /System/Library/CoreServices/UserNotificationCenter.app
/System/Library/CoreServices/UserNotificationCenter.app: valid on disk
/System/Library/CoreServices/UserNotificationCenter.app: satisfies its Designated Requirement

And check the signature with (with results from my OS X 10.10.5 (14F1605) for reference):

$ codesign -dvvv /System/Library/CoreServices/UserNotificationCenter.app
Executable=/System/Library/CoreServices/UserNotificationCenter.app/Contents/MacOS/UserNotificationCenter
Identifier=com.apple.UserNotificationCenter
Format=bundle with Mach-O universal (i386 x86_64)
CodeDirectory v=20100 size=501 flags=0x0(none) hashes=18+3 location=embedded
Hash type=sha1 size=20
CDHash=0598cd2dae69538404bc861d92dc9baece3cf56c
Signature size=4097
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=19
TeamIdentifier=not set
Sealed Resources version=2 rules=14 files=4
Internal requirements count=1 size=80

Also for reference SHA of the executable is 301e4caa71c9e0add012705c2e61be97d801717c.

Of course everyone should test for themselves to make sure no other program impersonates this window.

While not related, there is a report that a phishing method mimicking the iCloud password prompt has been used on iOS, so it is a valid concern.

As for the problem itself it seems to be commonly reported. Disabling the UserNotificationCenter with the following command prevented the window from appearing:

$ sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.UserNotificationCenter.plist
Related Question