I am developing a macOS application. I am creating my own keychain. The keychain file is stored at a particular location on the Disk. Every time I launch the application, I have to write and read data from this keychain.
I am unable to find the correct way to add items to this particular keychain. I am using SecItemAdd(). I want to specify to which keychain SecItemAdd() should add the item.
Have you tried SecKeychainSetDefault? From it's description:
In most cases, your application should not need to set the default keychain, because this is a choice normally made by the user. You may call this function to change where a password or other keychain items are added, but since this is a user choice, you should set the default keychain back to the user specified keychain when you are done.
Of course you will need other calls to obtain the SecKeychainRef argument this call requires etc., e.g. SecKeychainOpen, SecKeychainCopyDefault.
HTH
Related
In my Mac application, I'm using SecKeyCreateRandomKey to create a Secure Enclave key (kSecAttrTokenID as kSecAttrTokenIDSecureEnclave) with a custom kSecAttrAccessGroup that is specific to my app and a known label that the app can use to retrieve a reference to that key.
When my app runs, the key is created just fine and my app can access it, sign blobs, etc. However, I haven't been able to find a way to manually delete this secret from my "Local Items" keychain (tried through the security CLI and Keychain Access UI). My guess is that those applications don't have the necessary entitlement to see my secret. Is there a way I can use my root privileges / user creds to manually delete this item, or will I always have to get my app to do so?
Full dictionary of attributes given to SecKeyCreateRandomKey:
{
kSecAttrAccessGroup: "<team identifier>.<bundle identifier>.signingkey",
kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
kSecAttrKeySizeInBits: #256,
kSecAttrLabel: "CustomAppSigningKey",
kSecPrivateKeyAttrs: {
kSecAttrIsPermanent: #YES,
kSecAttrAccessControl:
SecAccessControlCreateWithFlags(
kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
kSecAccessControlPrivateKeyUsage, nullptr)
}
}
I am trying to securely store passwords in Keychain while requiring user presence (through Touch ID) to access them.
According to docs, this can be achieved by setting “Access Control Constants like kSecAccessControlUserPresence on their keychain entry”.
I have no clue how this is done.
I am generating a random strong password for every user and want the user to use the same password for accessing the application, since the password is going to be hard to remember I wish to store the same in the keychain so it is easy to access.
Of course you can, you must be looking for nativescript-secure-storage plugin.
tns plugin add nativescript-secure-storage
I'm new to Mac development and the keychain concepts. I wish to obtain some clarity on the topics, but I do have a specific question.
I have an app that is privately distributed, not through the app store. My signing certificate changed earlier, so now we have an old app and a new app. They have the same bundle id and filesystem path, but the new app gives a prompt when trying to access keychain entries created by the old app. I need to run this remotely so prompts are not acceptable.
I realised after some research that editing the ACL for the old keychain entries is not possible without giving a prompt, so I've instead decided to delete those keychain entries if and only if the new app does not have access to them. This has to be determined by the installer, which is a third app unrelated to the old or new app.
How do I check if a given application is in a keychain entry's access control list?
Here is the approach I tried: I used SecACLCopyContents on the SecKeychainItemRef to get the array of SecTrustedApplicationRefs.
I then used SecTrustedApplicationCreateFromPath to get a SecTrustedApplicationRef for the new app.
I then iterated over the array of SecTrustedApplicationRef and compared their results of SecTrustedApplicationCopyData to check if any app matches the one I created from the path.
However, I get a match for any two apps as long as they have the same filesystem path, even if they have completely different content. I have probably misunderstood the purpose of SecTrustedApplicationRef and SecTrustedApplicationCopyData.
TL;DR
What is the correct approach to check if some application has access to a keychain entry made long ago? Given that we cannot assume that bundle id and filesystem path are unique identifiers for the contents of the app.
Bonus question: What does security actually compare to determine if an app has permission to access a keychain entry?
I have exact the same problem as describe here:
"User interaction is not allowed" trying to sign an OSX app using codesign
So now I want to change the private key access control to Allow all applications to access this item. When I check this option everything looks fine; I've been asked to enter the administrator password and after that the windows closes.
But when I check the Access Control of the key again the other option is checked again; only allow list of applications...
Already found a solution:
Remove the cert/key from System.
Add the cert/key to login and change the Access Control (changing here worked...).
Copy the cert/key to System. The access control is as it should be.