Got -25293(errSecAuthFailed) when access keychain item after app is updated - macos

We're developing a Mac App(non-sandboxed) needs to access an ssl client certificate in keychain.
when the app first launches, there is a prompt to confirm to access keychain item. with options: always allow, allow, deny. which is fine.
when user choose always allow, the next time user launches app, the app will have the right access to use that certificate. but, when our app is update.(our app update using sparkle, it just simply replace the .app file on disk, then relaunches the app) , the updated app SOMEHOW CAN NOT ACCESS THIS CERTIFICATE, and get error -25293(errSecAuthFailed) ,
console output
Dec 10 19:21:55 userMacBook-Pro.local com.apple.SecurityServer[15]: suppressing keychain prompt for invalidly signed client /Applications/My-APP.app(42277)
Dec 10 19:21:55 userMacBook-Pro.local My-APP[42277]: CFNetwork SSLHandshake failed (-25293)
Error Domain=kCFStreamErrorDomainSSL Code=-25293
then i check that private key in keychain, the app's name is still in access control panel. finally, i reboot the system, the updated app can access this certificate again(without any promote prompt to confirm to access keychain item) and everything works fine. so, how can i keep the app keep right access to certificate after update without reboot the system? but this bug is not always shown, if the system is just boot(not running for hours), the app can update serval times and keep the right to certificate.
the app is always in access control after user click "Always Allow"
PS, if i manually go to access control list and choose "Allow all applications to access this item, then the app will has the right access. but we can not let our user to do this operation"
after some google search, i found a similar issue on sequel-pro
Won't save passwords on 10.8 12A269
SO, how can i let my app update , and keep the right access ? I found this issue on serval 10.9.x , 10.10.x systems.

Related

Accept the "Play App Signing Terms" without uploading a certificate first

I am migrating a few apps to App Signing, and to Android App Bundle. But since I'm not an account owner or account admin I can't do it.
In order to do it, you need to:
Upload the signing key (and optionally the upload key)
Accept the terms
The problem is that I am the developer, an admin only of my specific app. The terms have to be accepted by the account owner/admin. The account owner does not have the signing key, and shouldn't. So not sure how to proceed, as neither of us has all prerequisites for completing the process.
Q: Can the account owner somehow just accept the "Play App Signing Terms of Service", without having to upload a key?
P.S. There's the option to ask the account owner to make me account admin, which allows me to accept these specific terms (I'm currently only app admin). However, the account owner is not comfortable with giving me such high privileges, as they also have other apps on the same account. Not a solution.
Yes.
Ask Owner to go to Google Play Console, from left menu select Setup > App integrity
Click on Create release button
Then click on change app signing key
Choose use Google-generated key
Accept license agreement
And voila, now you can use it without admin privileges.
Note: This is tested many times before.

How to check if an application is part of a keychain entry's ACL?

I'm new to Mac development and the keychain concepts. I wish to obtain some clarity on the topics, but I do have a specific question.
I have an app that is privately distributed, not through the app store. My signing certificate changed earlier, so now we have an old app and a new app. They have the same bundle id and filesystem path, but the new app gives a prompt when trying to access keychain entries created by the old app. I need to run this remotely so prompts are not acceptable.
I realised after some research that editing the ACL for the old keychain entries is not possible without giving a prompt, so I've instead decided to delete those keychain entries if and only if the new app does not have access to them. This has to be determined by the installer, which is a third app unrelated to the old or new app.
How do I check if a given application is in a keychain entry's access control list?
Here is the approach I tried: I used SecACLCopyContents on the SecKeychainItemRef to get the array of SecTrustedApplicationRefs.
I then used SecTrustedApplicationCreateFromPath to get a SecTrustedApplicationRef for the new app.
I then iterated over the array of SecTrustedApplicationRef and compared their results of SecTrustedApplicationCopyData to check if any app matches the one I created from the path.
However, I get a match for any two apps as long as they have the same filesystem path, even if they have completely different content. I have probably misunderstood the purpose of SecTrustedApplicationRef and SecTrustedApplicationCopyData.
TL;DR
What is the correct approach to check if some application has access to a keychain entry made long ago? Given that we cannot assume that bundle id and filesystem path are unique identifiers for the contents of the app.
Bonus question: What does security actually compare to determine if an app has permission to access a keychain entry?

Private key changes in Keychain Access not saved

I have exact the same problem as describe here:
"User interaction is not allowed" trying to sign an OSX app using codesign
So now I want to change the private key access control to Allow all applications to access this item. When I check this option everything looks fine; I've been asked to enter the administrator password and after that the windows closes.
But when I check the Access Control of the key again the other option is checked again; only allow list of applications...
Already found a solution:
Remove the cert/key from System.
Add the cert/key to login and change the Access Control (changing here worked...).
Copy the cert/key to System. The access control is as it should be.

Setting 'Default' keychain for another user on Mac OSX

I am having trouble logging in to my usual admin account on my Mac OSX running Lion. Here's what happened:
I have two user-accounts on my mac (let's say MyAccount and Dummy)
I created a new keychain in Keychain Access MyAccount to test out something and set it to Default
I then logged in to Dummy and did some work there
I later came back to MyAccount and deleted the new Default keychain and went back to Dummy to continue what I was doing
I then shut down the mac and tried logging in to MyAccount but I keep looping back to the log-in screen
I tried turning on the root user from Dummy but how do I go about from there?
I am guess since I deleted the new keychain and did not set "login" to default, this messed up something
How do I log in to MyAccount now ?

Diference between Certificates in "Login" and "System" for XCode

I try to found answer for this stupid question, but didn't find it. I am having the error CSSMERR_TP_NOT_TRUSTED and I am trying to fix it.
My question is: What difference make put a "Certificates" in "Login" or in "System" in the "KeyChains" tab of "KeyChains Access" program? Is a good idea copy and paste all certificates in this 2 places?
Say things like: Certificates in Login is for use in login, and in system for system isn't the answer. :)
The System keychain is for System wide items. So if you were to have an identity for you laptop, that would be in your System keychain. Every user has access to it as well, so it's a good place for things like SSL certificates. It also takes admin credentials modify it.
On the flip side, you are the only person who can access your login keychain. It's actually locked with your account password. This is where your Apple Developer certificates should go. They are specific to you and identify a person, not a machine. Another big plus is that applications can request access to it without having admin credentials.

Resources