After a pen test it has been suggested we use kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly for keychain accessibility. It is currently using kSecAttrAccessibleAfterFirstUnlockValue We only store name, email, sms etc in our keychain but I've been asked to explore how much effort this would be My initial concern is what happens to users without a passcode? Is there a way to enforce this for users with a passcode but fallback to something else for other users? Thanks

I'm working on an app that uses CommonCrypto. The app works perfectly well in my own computer, but when using the very same exe build in another computer it "quit unexpectedly". Suspecting that the issue could be on the said module, I commented out the few lines that requires the module and problem solved!. Now, as I need to use the module at the very beginning of the app, to perform certain security operations, I'm wondering what could I do to assure the module is included in the build, so the app may work in any other computer as well. This sounds weird, because I would had assumed either that the module was to be included in the build or if not, an error claiming the lack of it should have been produced. (within Xcode) what setting should I change when build the app for use in other computers, so to assure the operations that requires this module can be completed? Although this may not be relevant, I'm using swift 5, Xcode 15 (latest versions) and Sonoma 14.2.1

"kSecTrustResultProceed indicates that the user has explicitly trusted a certificate." Problem: kSecTrustResultProceed returned from 'SecTrustEvaluate' for some users(733/million), while their cert chain contains non explicitly trusted certs: cert chain: ***.***.com Go Daddy Secure Certificate Authority - G2 Go Daddy Root Certificate Authority - G2 (Go Daddy is trusted on iOS, not explicitly trusted) I cannot reproduce this on my phone, but it does exist, for some users, including iOS 17. Any thoughts? SecTrustResultType res = kSecTrustResultInvalid; SecTrustEvaluate(secTrust, &res); if (res == kSecTrustResultUnspecified) { return YES; } if (res == kSecTrustResultProceed) { // some check... found this question return YES; } if (res != kSecTrustResultRecoverableTrustFailure) { return NO; } // some recover... return recovered;

I have a cert in a key chain that contains a private key. I'd like to add an application to the access control "white list" for that key. I know how to do this using the graphical key chain tool, but I'd like to do it via the command line (inside post install script) or programmatically. Is it possible it do so?

Getting the below error when trying to decrypt an encrypted string sent from my server. Printing description of error: ▿ Optional<Unmanaged<CFErrorRef>> ▿ some : Unmanaged<CFErrorRef> - _value : Error Domain=NSOSStatusErrorDomain Code=-50 "<SecKeyRef algorithm id: 1, key type: RSAPrivateKey, version: 4, 2048 bits (block size: 256), addr: 0x600000cb16c0>: sign - input buffer bad size (344 bytes)" UserInfo={numberOfErrorsDeep=0, NSDescription=<SecKeyRef algorithm id: 1, key type: RSAPrivateKey, version: 4, 2048 bits (block size: 256), addr: 0x600000cb16c0>: sign - input buffer bad size (344 bytes)} I generated the RSA 2048 public private key pairs using private func getRsaKeyPair()->(String,SecKey)?{ let publicKeyAttr: [NSObject: Any] = [ kSecAttrIsPermanent: true, kSecAttrApplicationTag: "com.appname.one.rsa.public".data(using: String.Encoding.utf8)!, kSecClass: kSecClassKey, kSecReturnData: kCFBooleanTrue as Any] let privateKeyAttr: [NSObject: Any] = [ kSecAttrIsPermanent:true, kSecAttrApplicationTag:"com.appname.one.rsa.private".data(using: String.Encoding.utf8)!, kSecClass: kSecClassKey, kSecReturnData: kCFBooleanTrue as Any] var keyPairAttr = [NSObject: Any]() keyPairAttr[kSecAttrKeyType] = kSecAttrKeyTypeRSA keyPairAttr[kSecAttrKeySizeInBits] = 2048 keyPairAttr[kSecPublicKeyAttrs] = publicKeyAttr keyPairAttr[kSecPrivateKeyAttrs] = privateKeyAttr var error: Unmanaged<CFError>? = nil let privateKey = SecKeyCreateRandomKey(keyPairAttr as CFDictionary, &error) if let privateKey { var resultPublicKey: AnyObject? let statusPublicKey = SecItemCopyMatching(publicKeyAttr as CFDictionary, &resultPublicKey) if statusPublicKey == noErr { if let publicKey = resultPublicKey as? Data { return(publicKey.base64EncodedString(), privateKey) } } } return nil } i then sent the public key to my node js server which then returned me a string encrypted with the said public key. I decrypt it as follows guard let key = data.encStr?.data(using: .utf8) else{ return } print("encStr Size: \(key.count) bytes") var error: Unmanaged<CFError>? = nil if let plaintext = SecKeyCreateDecryptedData(privateKey, .rsaEncryptionPKCS1 , key as CFData, &error) as? Data{ print("HURRAY:\(plaintext)") if let plainTextStr = String(data: plaintext, encoding: .utf8){ print(plainTextStr) } }else{ print(error.debugDescription) } But i get the above mentioned error when decrypting using my private key.

While trying to convert one our apps to build against VisionOS, we noticed that the OpenSSL library apparently does not contain support for VisionOS yet: /.../OpenSSL.xcframework:1:1: While building for visionOS, no library for this platform was found in '/.../OpenSSL.xcframework'. Can someone confirm that there is no official version of OpenSSL with VisionOS platform support? It seems there has been some effort in the community to find a workaround to this, but I believe it would require building OpenSSL locally, which seems like not a good security practice. So if someone from Apple can let us know what the right path here forward is, we'd appreciate it.

The macOS app I'm working on accesses keychain items created by other apps—git remote credentials, likely entered in the Terminal or some other git client. When calling SecItemCopyMatching(), the user is prompted twice in a row: AppName wants to use your confidential information stored in "host.org" in your keychain. AppName wants to access key "host.org" in your keychain. The user needs to enter their login password for each of the two prompts for the access to succeed. Can I consolidate the two prompts into one? The experience with two alerts is somewhat confusing and tedious, compared to what it could be—especially since there is no way of displaying a usage description string in the window, to reassure and provide context.

Quick Summary I'm having trouble using SecKeyCreateSignature(deviceSigningKeyRef, .ecdsaSignatureMessageX962SHA256, digest, &error) but when using SecureEnclave.P256.KeyAgreement.PrivateKey().signature(for: digest) the other code I'm using to verify succeeds. Full use case and code If I just initiate a SecureEnclave.P256.KeyAgreement.PrivateKey() class variable and then later use signature(for: digest).rawRepresentation to generate a signature, I get a signature value that can be passed to the verifying code class MyClass { var myPrivateKey: SecureEnclave.P256.KeyAgreement.PrivateKey? init() { myPrivateKey = SecureEnclave.P256.KeyAgreement.PrivateKey() let myPublicKey = myPrivateKey?.publicKey.rawRepresentation } func createAndSendSignature(_ digest: Data) { let signature = try? myPrivateKey?.signature(for: digest).rawRepresentation // 64 bytes sendSignatureWithDigest(signature, digest) } } But if I create my key in keychain via Secure Enclave with the way the documentation recommends (here's a few links to start Signing/Verifying, Keys for encryption), and then retrieve the key representation and use SecKeyCreateSignature, the resulting signature (which I manipulate a little more because it is DER encoded and does not comes back as 64 bytes) fails against the verifying code. class MyClass { var myKeyTag: String = "myKeyTag" func createAndStoreKey() { let access = SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .privateKeyUsage, nil)! // Ignore errors. let attributes: NSDictionary = [ kSecClass as String: kSecClassKey, kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits as String: 256, kSecAttrTokenID: kSecAttrTokenIDSecureEnclave, kSecPrivateKeyAttrs as String: [ kSecAttrIsPermanent as String: true, kSecAttrApplicationTag as String: myKeyTag, kSecAttrAccessControl as String: access, kSecAttrCanSign as String: true, ] ] var error: Unmanaged<CFError>? guard let keyRef: SecKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else { throw error!.takeRetainedValue() as Error } return keyRef as SecKey! } func getKey(){ let query: [String: Any] = [ kSecClass as String: kSecClassKey, kSecAttrApplicationTag as String: myKeyTag, kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom, kSecReturnRef as String: true, ] var item: CFTypeRef? let status = SecItemCopyMatching(query as CFDictionary, &item) guard status == errSecSuccess else { throw KeyStoreError("Unable to retrieve key: \(status.message)") } return (item as! SecKey) } func createAndSendSignature(_ digest: Data) { let privKey = getKey() let signature = SecKeyCreateSignature( privKey, .ecdsaSignatureMessageX962SHA256, digest as CFData, &error) as Data? else { print(error) return } // bytes varry due to DER encoding and R and S values let ecdsaSignature = try P256.Signing.ECDSASignature(derRepresentation: signature) let signatureBytes = ecdsaSignature.rawRepresentation sendSignatureWithDigest(signatureBytes, digest) } } An important note: digest is not an actual digest but a message that needs to be hashed to turn into a digest? Sorry if that sounds off, my security knowledge is limited. Please forgive any syntax errors, I can't copy and paste the code and am just extracting the important elements. Anything helps, thanks!

So I have an app in production. For the past 3 weeks I am facing an issue. To add any item to keychain I the use the following query [kSecClass: kSecClassGenericPassword, kSecAttrService: type.rawValue, kSecAttrAccount: identifier, kSecValueData: dataFromString] To retrieve data this is the query [kSecClass: kSecClassGenericPassword, kSecAttrService: type.rawValue, kSecReturnData: true] A bit more context:- Whether a user can log in or not using faceID 3 conditions are important App should have been biometrics access App should be able to fetch clientID from keychain App should be able to fetch refreshToken from keychain The app works fine for most users. But since the latest update we did for the app the retrieve method has been failing, more so in users with iOS 17.I am not able to replicate this locally. And it seems to be a recurring issue for certain users. What could be the source for the issue? And how to diagnose in production given it is not at all reproducible in our test environments.

Hi! I am trying to make a UI Testing target in Xcode for my Application (Client). It works with Keychain items that are created during installation, so in order to mock this installation behavior I am creating the items like this: security add-generic-password -U -D "[item_kind]" -a "[account]" -l "[label]" -s [service] -w "[value]" -T path/to/UITest-runner.app -T path/to/Client-app.app However, during UI Testing, the application is still prompted to access or modify the Keychain Items as seen in the bottom half of this screenshot: These application paths have been obtained by the find terminal command inside DerivedData/.../Build/Products/... so they are the correct paths (which is also proven I guess by the fact that the apps are correctly listed in the ACL window of Keychain Access as seen on the top half of the screenshot). I also tried using the -A option instead of -T but the result is exactly the same. Why doesn't this approach work during UI Testing? I am using the same approach in my installation script for the real application installation process with the -T parameters and there is no issue in that case. This issue kills my UI Tests because I am constantly prompted when I want to read of modify the contents of these Keychain Items.

I recently inherited a project to port an app bundle to arm64, and some of the design decisions in the app bundle are undocumented. I'd like to structure the bundle as canonically as possible, to minimize future problems as much as possible. In particular, there are two areas where I would like some clarification. I have read all of eskimo's guides (what a godsend!), but have not been able to find an explanation for these yet. We have some helper executables that allow us to run jobs in the background, etc... Historically, these have always been in Contents/Resources, for some reason; that seems to be a bad idea. I have seen conflicting advice suggesting to use Helpers or just MacOS. What are the advantages or disadvantages of using each folder? Would dumping all the executables in MacOS be an adequate solution and, if not, why should I use Helpers? Our app contains "compiled extensions" in Contents/SharedSupport, which consist of small intel-based apps (with their own app bundle) that our app can interact with. They are supposed to be a demo of extensions that the users could code and compile themselves, thus justifying their location. Should these be signed in any special way? Our app used to employ the --deep flag for code signing, but following eskimo's guidelines I have removed that, and it is not clear to me how these should be signed. Thank you.

Hi there, i have an macOS app, sandboxed, compatibility 10.13 up to Sonoma, objective-C. I have a dropzone (or alternatively selection with NSOpenPanel) where users can drop files which results in an array of NSURLs. I create bookmarks to securely access them. This worked for years. Now i want to add iCloud support. Everything works good so far. I have methods to check the file status and download the file from icloud if NSURLUbiquitousItemDownloadingStatusKey == NSURLUbiquitousItemDownloadingStatusNotDownloaded Then i listen for the file, once the status key changes to NSURLUbiquitousItemDownloadingStatusCurrent i continue with processing the NSURL and i want to create bookmarkData: [filePathUrl bookmarkDataWithOptions:NSURLBookmarkCreationWithSecurityScope includingResourceValuesForKeys:nil relativeToURL:nil error:&error]]; But this returns the error "Could not open() the item: [1: Operation not permitted]" So i was wondering if downloading the file from iCloud now changed the NSURL itself so the given permissions by dropping do not match the downloaded file? Adding [filePathUrl startAccessingSecurityScopedResource]; didn't change anything. Any help appreciated

I have multiple ML models along with a collection of supporting code designed to enhance their effectiveness. I want to encapsulate these assets within a package so I can add it to a few of my projects. Is it possible to encrypt the ML models when including them as resources within the package?

When performing biometric authentication, some times we are getting these kind of errors when i try to sign the data with private key that we get it from keychain. I was searching for document related to this but i could not.Can someone help me on this? Error message and error code Remote alert invalidated -4 UI canceled by system -4 unable to sign digest -3 Canceled by another authentication -4 Caller is not running foreground -1004 Caller moved to background -4 No identities are enrolled  -7 User has denied the use of biometry for this app -1018 Application retry limit exceeded -1 Face ID interlocked -8 Biometry lost -4 match failed -1 // To get signed data using private key SecKeyRef privateKeyReferences = [self getPrivateKey:keyNames]; if(!privateKeyReferences) { NSLog(@"Error retrieving private key"); return nil; } NSError *error; NSData *signature = CFBridgingRelease(SecKeyCreateSignature(privateKeyReferences, kSecKeyAlgorithmECDSASignatureMessageX962SHA256, (CFDataRef) data, (void *)&error)); if(!signature) { NSString *errorMessage = [NSString stringWithFormat:@"Error signing data %@.", error]; NSLog(@"%@", errorMessage); return nil; } return signature;

Vision Pro is getting MDM support, which is good for companies that want to bring them into the enterprise, but security needs to be addressed. Does anyone know what cryptographic module VisionOS uses? I didn't see any info here: https://support.apple.com/en-us/103688 or https://support.apple.com/guide/certifications/welcome/web

Dear Team, I'm encountering challenges in securely storing key-value pairs at the system level keychain on macOS, with the requirement for universal accessibility of that values across all the users in mac. Is it feasible to fulfill this requirement using Keychain? Are there any alternative secure methods for achieving this? Your assistance in finding a solution would be greatly appreciated. Thank you in advance!

Hi everyone, We are building an application on macOS (and iOS) that can install client certificates for mTLS handshake. This part is working great and the certificates are imported into login keychain. The problem comes when a user tries to use those certificates from the browser. Then he is presented with the Keychain access dialog to be able to use the private key from the installed certificate. We would like to hide this dialog so that the user flow is as streamlined as possible. We succeeded in hiding the Keychain dialog in Safari by importing the private key with a flag that allows all applications access to it. This is enough for Safari since Apple applications are part of the key's partition list by default. This, however, doesn't work for, e.g., Chrome. We've experimented with calling the security set-key-partition-list command, but that still requires the Keychain password (shows the dialog) and it seems impossible to select just our private key with it. So my question is, how can we hide the Keychain dialog when using our certificate from Chrome? Would maybe working with the Objective-C methods SecKeychainItemSetAccess or the newer SecItemUpdate allow us to set the partition-list without a Keychain dialog window? Is there another option that doesn't set the key partition list? Best regards, Marek Vinkler

I am encountering an issue with accessing the system keychain on macOS [macOS 13.6.3]. When running our product, the following error message is logged: [com.apple.securityd:secitemratelimit] Not internal release, disabling SIRL [com.apple.securityd:keychain] System Keychain Always Supported set via feature flag to disabled As a result, our product is unable to access the system keychain, which is impacting functionality. Note: In many other devices this issue is not seen. Steps to Reproduce: The moment pkg is installed it creates a key in keychain. For an affected device SecItemCopyMatching is returning errSecInteractionNotAllowed Question: Is there a way to enable the system keychain access or address the issue with the feature flag being disabled? Are there any suggestions or recommendations for handling this case? Any assistance or guidance on resolving this issue would be greatly appreciated. Thank you in advance for your help.

Hello, I am creating this post to ask if there is any plan for bringing the Attestation Service support for macOS or any plans for supporting it in macOS. We implemented it in iOS and it increased the security for our users and partners but we are evaluating deprecated macOS and keeping only Windows and linux because of this restriction on the Attestation Service... if you recommend any other provider to attest the device please bring me some recommendations.

Hi Team, 

I am developing a sample authPluggin which should connect to a mobile app via bluetooth connection, 
So here are the scenario

 Authplugin with Bluetooth connection shoould work on lockscreen+login 

I have created mechanism- prepared:privillaged, main, clean:Privilaged Calling corebluetoothmanager initiation at the time of prepared:privilaged mechanism I have to add my auth plugin’s mechanism before loginwindow:success mechanism

 But I always gets unauthorized = 3, from power state of bluetooth

 Note: With App, bluetooth connection is working fine, Its giving error with authPlugin How to achieve my ultimate goal, is this the right way?