I have exact the same problem as describe here:
"User interaction is not allowed" trying to sign an OSX app using codesign
So now I want to change the private key access control to Allow all applications to access this item. When I check this option everything looks fine; I've been asked to enter the administrator password and after that the windows closes.
But when I check the Access Control of the key again the other option is checked again; only allow list of applications...
Already found a solution:
Remove the cert/key from System.
Add the cert/key to login and change the Access Control (changing here worked...).
Copy the cert/key to System. The access control is as it should be.
Related
In my Mac application, I'm using SecKeyCreateRandomKey to create a Secure Enclave key (kSecAttrTokenID as kSecAttrTokenIDSecureEnclave) with a custom kSecAttrAccessGroup that is specific to my app and a known label that the app can use to retrieve a reference to that key.
When my app runs, the key is created just fine and my app can access it, sign blobs, etc. However, I haven't been able to find a way to manually delete this secret from my "Local Items" keychain (tried through the security CLI and Keychain Access UI). My guess is that those applications don't have the necessary entitlement to see my secret. Is there a way I can use my root privileges / user creds to manually delete this item, or will I always have to get my app to do so?
Full dictionary of attributes given to SecKeyCreateRandomKey:
{
kSecAttrAccessGroup: "<team identifier>.<bundle identifier>.signingkey",
kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
kSecAttrKeySizeInBits: #256,
kSecAttrLabel: "CustomAppSigningKey",
kSecPrivateKeyAttrs: {
kSecAttrIsPermanent: #YES,
kSecAttrAccessControl:
SecAccessControlCreateWithFlags(
kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
kSecAccessControlPrivateKeyUsage, nullptr)
}
}
I am developing a macOS application. I am creating my own keychain. The keychain file is stored at a particular location on the Disk. Every time I launch the application, I have to write and read data from this keychain.
I am unable to find the correct way to add items to this particular keychain. I am using SecItemAdd(). I want to specify to which keychain SecItemAdd() should add the item.
Have you tried SecKeychainSetDefault? From it's description:
In most cases, your application should not need to set the default keychain, because this is a choice normally made by the user. You may call this function to change where a password or other keychain items are added, but since this is a user choice, you should set the default keychain back to the user specified keychain when you are done.
Of course you will need other calls to obtain the SecKeychainRef argument this call requires etc., e.g. SecKeychainOpen, SecKeychainCopyDefault.
HTH
We're developing a Mac App(non-sandboxed) needs to access an ssl client certificate in keychain.
when the app first launches, there is a prompt to confirm to access keychain item. with options: always allow, allow, deny. which is fine.
when user choose always allow, the next time user launches app, the app will have the right access to use that certificate. but, when our app is update.(our app update using sparkle, it just simply replace the .app file on disk, then relaunches the app) , the updated app SOMEHOW CAN NOT ACCESS THIS CERTIFICATE, and get error -25293(errSecAuthFailed) ,
console output
Dec 10 19:21:55 userMacBook-Pro.local com.apple.SecurityServer[15]: suppressing keychain prompt for invalidly signed client /Applications/My-APP.app(42277)
Dec 10 19:21:55 userMacBook-Pro.local My-APP[42277]: CFNetwork SSLHandshake failed (-25293)
Error Domain=kCFStreamErrorDomainSSL Code=-25293
then i check that private key in keychain, the app's name is still in access control panel. finally, i reboot the system, the updated app can access this certificate again(without any promote prompt to confirm to access keychain item) and everything works fine. so, how can i keep the app keep right access to certificate after update without reboot the system? but this bug is not always shown, if the system is just boot(not running for hours), the app can update serval times and keep the right to certificate.
the app is always in access control after user click "Always Allow"
PS, if i manually go to access control list and choose "Allow all applications to access this item, then the app will has the right access. but we can not let our user to do this operation"
after some google search, i found a similar issue on sequel-pro
Won't save passwords on 10.8 12A269
SO, how can i let my app update , and keep the right access ? I found this issue on serval 10.9.x , 10.10.x systems.
As in, when I install an add-on, and Firefox restarts, it should accept a password (only the first time when installing). And when the user wants to disable or remove the add-on, it will only comply upon entering the same password? In which part would the code be kept?
You cannot. Even if you disable add-on uninstall - the user can always close the browser and remove the extension manually (removing the directory on disk will do).
That said, the secure way of storing passwords is the login manager. They will be stored encrypted on disk if the user defines a master password. Of course, the user himself can always see the stored passwords (under Options / Security / Saved Passwords). So you probably want to store a salted hash of the password rather than the password itself.
You can also use AddonManager.addAddonListener() to get notified whenever an add-on is being disabled or uninstalled. You can cancel the action by calling addon.cancelUninstall() or setting addon.userDisabled = false.
The above is merely for reference - it won't really help you achieve your goal.
After looking through the code for building custom credential providers for Windows 7, I managed to get my own tile to show up on the logon screen, and can logon as the desired user. However, I am trying to implement a system where an event (a Bluetooth device in range) triggers a logon/unlock, without needing to click on the tile.
I can set it to fill in the password automatically (maybe I will implement pulling the password from the device), but either way, I must click the tile first. If it is locked, I need to click "Other Credentials" before that, too.
How would I go about implementing the logon credential provider without displaying a tile on the logon screen? It would be nice if I could keep the existing password option focused, and bypass it the moment the device comes in range.
EDIT: I made some progress, but I still think I need to do this without a tile. If I set the *pbAutoLogon parameter to true, and fill in the username and password before that, then the following behavior occurs:
If the default credential is selected (lock/unlock), then I need to click on "other credentials". If I log off, both credentials are displayed by default.
If both credentials are shown, and my provider is enabled after that, then the logon is automatic.
If my provider is enabled first, then "other credentials" is selected, I still need to click on my provider, after which logon is automatic
You need to change your credential settings to log in automatically and then your provider needs to tell LoginUI that the credentials have changed.
One of the sample credential providers supplied by microsoft works in this way.