Hi there, i have an macOS app, sandboxed, compatibility 10.13 up to Sonoma, objective-C. I have a dropzone (or alternatively selection with NSOpenPanel) where users can drop files which results in an array of NSURLs. I create bookmarks to securely access them. This worked for years. Now i want to add iCloud support. Everything works good so far. I have methods to check the file status and download the file from icloud if NSURLUbiquitousItemDownloadingStatusKey == NSURLUbiquitousItemDownloadingStatusNotDownloaded Then i listen for the file, once the status key changes to NSURLUbiquitousItemDownloadingStatusCurrent i continue with processing the NSURL and i want to create bookmarkData: [filePathUrl bookmarkDataWithOptions:NSURLBookmarkCreationWithSecurityScope includingResourceValuesForKeys:nil relativeToURL:nil error:&error]]; But this returns the error "Could not open() the item: [1: Operation not permitted]" So i was wondering if downloading the file from iCloud now changed the NSURL itself so the given permissions by dropping do not match the downloaded file? Adding [filePathUrl startAccessingSecurityScopedResource]; didn't change anything. Any help appreciated

I have multiple ML models along with a collection of supporting code designed to enhance their effectiveness. I want to encapsulate these assets within a package so I can add it to a few of my projects. Is it possible to encrypt the ML models when including them as resources within the package?

When performing biometric authentication, some times we are getting these kind of errors when i try to sign the data with private key that we get it from keychain. I was searching for document related to this but i could not.Can someone help me on this? Error message and error code Remote alert invalidated -4 UI canceled by system -4 unable to sign digest -3 Canceled by another authentication -4 Caller is not running foreground -1004 Caller moved to background -4 No identities are enrolled  -7 User has denied the use of biometry for this app -1018 Application retry limit exceeded -1 Face ID interlocked -8 Biometry lost -4 match failed -1 // To get signed data using private key SecKeyRef privateKeyReferences = [self getPrivateKey:keyNames]; if(!privateKeyReferences) { NSLog(@"Error retrieving private key"); return nil; } NSError *error; NSData *signature = CFBridgingRelease(SecKeyCreateSignature(privateKeyReferences, kSecKeyAlgorithmECDSASignatureMessageX962SHA256, (CFDataRef) data, (void *)&error)); if(!signature) { NSString *errorMessage = [NSString stringWithFormat:@"Error signing data %@.", error]; NSLog(@"%@", errorMessage); return nil; } return signature;

Vision Pro is getting MDM support, which is good for companies that want to bring them into the enterprise, but security needs to be addressed. Does anyone know what cryptographic module VisionOS uses? I didn't see any info here: https://support.apple.com/en-us/103688 or https://support.apple.com/guide/certifications/welcome/web

Dear Team, I'm encountering challenges in securely storing key-value pairs at the system level keychain on macOS, with the requirement for universal accessibility of that values across all the users in mac. Is it feasible to fulfill this requirement using Keychain? Are there any alternative secure methods for achieving this? Your assistance in finding a solution would be greatly appreciated. Thank you in advance!

Hi everyone, We are building an application on macOS (and iOS) that can install client certificates for mTLS handshake. This part is working great and the certificates are imported into login keychain. The problem comes when a user tries to use those certificates from the browser. Then he is presented with the Keychain access dialog to be able to use the private key from the installed certificate. We would like to hide this dialog so that the user flow is as streamlined as possible. We succeeded in hiding the Keychain dialog in Safari by importing the private key with a flag that allows all applications access to it. This is enough for Safari since Apple applications are part of the key's partition list by default. This, however, doesn't work for, e.g., Chrome. We've experimented with calling the security set-key-partition-list command, but that still requires the Keychain password (shows the dialog) and it seems impossible to select just our private key with it. So my question is, how can we hide the Keychain dialog when using our certificate from Chrome? Would maybe working with the Objective-C methods SecKeychainItemSetAccess or the newer SecItemUpdate allow us to set the partition-list without a Keychain dialog window? Is there another option that doesn't set the key partition list? Best regards, Marek Vinkler

I am encountering an issue with accessing the system keychain on macOS [macOS 13.6.3]. When running our product, the following error message is logged: [com.apple.securityd:secitemratelimit] Not internal release, disabling SIRL [com.apple.securityd:keychain] System Keychain Always Supported set via feature flag to disabled As a result, our product is unable to access the system keychain, which is impacting functionality. Note: In many other devices this issue is not seen. Steps to Reproduce: The moment pkg is installed it creates a key in keychain. For an affected device SecItemCopyMatching is returning errSecInteractionNotAllowed Question: Is there a way to enable the system keychain access or address the issue with the feature flag being disabled? Are there any suggestions or recommendations for handling this case? Any assistance or guidance on resolving this issue would be greatly appreciated. Thank you in advance for your help.

Hello, I am creating this post to ask if there is any plan for bringing the Attestation Service support for macOS or any plans for supporting it in macOS. We implemented it in iOS and it increased the security for our users and partners but we are evaluating deprecated macOS and keeping only Windows and linux because of this restriction on the Attestation Service... if you recommend any other provider to attest the device please bring me some recommendations.

Hi Team, 

I am developing a sample authPluggin which should connect to a mobile app via bluetooth connection, 
So here are the scenario

 Authplugin with Bluetooth connection shoould work on lockscreen+login 

I have created mechanism- prepared:privillaged, main, clean:Privilaged Calling corebluetoothmanager initiation at the time of prepared:privilaged mechanism I have to add my auth plugin’s mechanism before loginwindow:success mechanism

 But I always gets unauthorized = 3, from power state of bluetooth

 Note: With App, bluetooth connection is working fine, Its giving error with authPlugin How to achieve my ultimate goal, is this the right way?

I am developing a Mac application. Within this application, I need to execute certain commands and expressions with root privilege access. I am working to perform this action, and once authenticated, it should persist throughout the entire app lifecycle. Similar to allowing keychain access for Xcode applications by selecting the 'Always allow' permission. Please let me know: 1. Is it possible for a third-party application to exhibit such behavior? 2. If it is possible, what type of permissions do I need to set? 3. Do I need any specific entitlements for this? Thank you for your insights and assistance. Your responses are highly valued, and any guidance you can provide will be greatly appreciated.

For a security product, I wonder if security extension has a capability to catch a file during copy operation (I guess it's composed out of multiple basic ops like file read and file write). I'd like to store the file in some quarantined temporal (let's say when someone copy file from external file system like usb/network location and copy it back once the file has properly scanned. So far, i've used the authorization capabilities of the security extension. I wonder if there's also an option to change the target location of a file being copied ? Thanks.

Looking at the path name for reasons, and ran into a thing: one of my coworkers was not getting /Applications/Safari.app as expected, but instead got /System/Volumes/Preboot/Cryptexes/App/System/Applications/Safari.app. Which is annoying because I'm actually using spotlight to find the paths for applications, and that one doesn't show up. Has anyone run into this? And know why? (I figure I'll simply remove the prefix if it's there, and that should be fine, but I'm curious why it only seems to happen sometimes.)

Hi, I successfully developed a key storage provider (KSP) under Windows that allows me to digitally sign from 3rd party application (typically Acrobat Reader but not only). Now I'm trying to port the key storage provider to macOS, but I cannot find an equivalent technology under this OS. I've tried different solutions: API hooking/method swizzling/dll interposing: It doesn't look officially supported plus easily blockable (with hardened runtime); Endpoint security framework: It looks basically for watch-only purposes plus minimal blocking capabilities; Is there any supported way to implement a KSP macOS equivalent? Any suggestion? Something else to explore? Thanks a lot, max

Hi, I have a String that I want to: encrypt it using a key. generate that key with the Secure Enclave store the key in the secure enclave next time the user opens the app: read the key from the secure enclave. decrypt the string back. Is it possible? I know the Secure Enclave can help me generate a key, but how to store or retrieve it? Is it possible to do that with CryptoKit?

Hello, I'm near-brand new to writing in Swift and am attempting to write a simple VPN configuration to start an existing VPN in-app for a mobile app I'm developing for the company I work for. We're writing this in Swift in hopes of converting them to C# eventually for the mobile app's end product. So I'm attempting to set VPN configurations using a NEVPNProtocolIKEv2() type, and when it comes to setting the server address, remote identifier, and username, it seems pretty straightforward. However, when I try to set a password reference, I'm failing to figure out how to do so in a straight forward way. I've tried several methods from the docs and continuously yield no results, so I wanted to ask if I was doing something wrong in the following code (most of which is commented out, but indicated by single line comments where the attempts were). /** @class VPN contains all of the configuration and handling for enacting a VPN connection */ class VPN { // Initialize `manager` variable with `NEVPNManager` object using @method `shared()` let manager = NEVPNManager.shared() /** @variable vpnLoadHandler handles loading the VPN and error catching? */ private var vpnLoadHandler: (Error?) -> Void { return { (error:Error?) in if ((error) != nil) { print("Load VPN Configurations failed...") return; } // Initialize and assign `p` as `NEVPNProtocolIKEv2()` interface let p = NEVPNProtocolIKEv2() // Assign property values for the IKEv2 VPN p.serverAddress = "0.0.0.0" p.remoteIdentifier = "abc" p.username = "iosUser" // Assign string `pass` with string value of intended password let pass = "password" // Assign string `key` with string value of intended key let key = "pwd" // Create an add query to encode password as `Data` instance var query: [String: Any] = [kSecClass as String: kSecClassGenericPassword, kSecAttrGeneric as String: key, kSecValueData as String: pass] // Add the item to `passKeyValue` using `SecAddItem` let passKeyValue = SecItemAdd(query as CFDictionary, nil) // ALTERNATIVE VALUE ASSIGNMENT // let passKeyValue = SecItemCopyMatching(query as CFDictionary, nil) // Initiate search to access password from query // ATTEMPT 1 /* var item: CFTypeRef? guard let existingItem = item as? [String: Any], let passwordData = existingItem[kSecValueData as String] as? Data, let password = passwordData else { print("Keychain failed...") } */ // ATTEMPT 2 /* var error: Unmanaged<CFError>? guard let data = SecKeyCopyExternalRepresentation(passKeyValue, &error) as Data else { throw error!.takeRetainedValue() as Error } */ // ATTEMPT 3 /* var error: Unmanaged<CFError>? guard let pkData = SecKeyCreateWithData(data as CFData, query as CFDictionary, &error) else { throw error!.takeRetainedValue() as Error } */ } } } I'm just a little lost because as of a year ago, other similar code that I've referenced uses conventions of: let kcs = KeychainService(); kcs.save(key: "SHARED", value: "MY_SHARED_KEY") kcs.save(key: "VPN_PASSWORD", value: "MY_PASSWORD" Why has it changed? How would I go about achieving the same thing?

Hello, I am developing a smartcard CTK extension for macOS. I have trouble to smartcard logon the first time after a reboot or a logout (e.g. when there is the text "Your password is required to enable touch id"). Trouble = I'm not asked for the PIN. But time to time after a logout (from whatever account), I can login with the smartcard. After a lockscreen I can always login with the smartcard. Is there an easy way to debug the logon process ? Regards, ++dom

I'm new to Networking, so forgive me if this is a silly question: In the sample code, Building a custom peer-to-peer protocol, TLS is configured as follows: // Create TLS options using a passcode to derive a pre-shared key. private static func tlsOptions(passcode: String) -> NWProtocolTLS.Options { let tlsOptions = NWProtocolTLS.Options() let authenticationKey = SymmetricKey(data: passcode.data(using: .utf8)!) var authenticationCode = HMAC<SHA256>.authenticationCode(for: "TicTacToe".data(using: .utf8)!, using: authenticationKey) let authenticationDispatchData = withUnsafeBytes(of: &authenticationCode) { (ptr: UnsafeRawBufferPointer) in DispatchData(bytes: ptr) } sec_protocol_options_add_pre_shared_key(tlsOptions.securityProtocolOptions, authenticationDispatchData as __DispatchData, stringToDispatchData("TicTacToe")! as __DispatchData) sec_protocol_options_append_tls_ciphersuite(tlsOptions.securityProtocolOptions, tls_ciphersuite_t(rawValue: TLS_PSK_WITH_AES_128_GCM_SHA256)!) return tlsOptions } The sample code touts the connection as secure ("...uses Bonjour and TLS to establish secure connections between nearby devices"), but to my untrained eye it doesn't seem so. My reasoning is as follows: If I adapt this code as-is, so connections between two instances of my app use SymmetricKeys derived from the four-digit passcode, then wouldn't my encryption be easy to break by an adversary who sends 0000...9999 and records corresponding changes in the encryption, exposing my app to all sorts of attacks? The sample uses the passcode to validate the connection (host user shows client user the passcode, which is manually entered), which is a feature I would like to keep in some form or another, which is why this is causing so many headaches. Generally speaking, is there a way to secure a local peer-to-peer connection over Network.framework that doesn't involve certificates? If certificates are the only way, are there good resources you can recommend?

Hello Everyone, Is there any method or callback event to obtain the current time and date mode (Automatic or Manual) in Swift? In Android, Settings.Global.AUTO_TIME is used for the same. Could anyone advise on the equivalent functionality or approach for iOS development? Thanks in advance!

The Apple documentation for SessionGetInfo for swift mentions that this API takes third argument of type UnsafeMutablePointer&lt;SessionAttributeBits&gt;? but I m getting the below error when I pass an argument of this type. Cannot convert value of type 'UnsafeMutablePointer&lt;SessionAttributeBits&gt;' to expected argument type 'UnsafeMutablePointer&lt;UInt32&gt;' Why is it expecting a different type. The documentation states otherwise. How to resolve this? Is this a Bug? public static func GetSessionInfo () -&gt; Void { var sessionID = SecuritySessionId() var sessionAttrs = SessionAttributeBits() let status = SessionGetInfo(callerSecuritySession, &amp;sessionID, &amp;sessionAttrs) //error:Cannot convert value of type 'UnsafeMutablePointer&lt;SessionAttributeBits&gt;' to expected argument type 'UnsafeMutablePointer&lt;UInt32&gt;' if status != errSessionSuccess { print("Could not get session info. Error \(status)") } }

My goal is: Generate a public and private key pair Add the private key to the keychain and protect it with the secure enclave Create a self-signed certificate with the public key and send it to a server Add the certificate to the keychain When I communicate with the server I want to create a SecIdentity during the client challenge which is basically a SecCertificate + SecKey combo. For the certificate generation I would like to use the swift-certificates library to not have to compose manually the certificate fields and signature. My problem is that the swift-certificates during the Certificate initialisation needs a SecureEnclave.P256.Signing.PrivateKey private key and to add a key to the keychain we need a SecKey object. And unfortunately there is no clean way to create from one of them the other one. I read several threads here about this, but I haven't found a clean solution for it. I tried to approach the problem from two directions: First: Create the key with the SecKeyCreateRandomKey, mark in the attributes that I want to protect the key with secure enclave and also mark that I want the private key to be kSecAttrIsPermanent so it is automatically saved in the keychain The SecKeyCreateRandomKey returns a SecKey which is a reference to the private key from the keychain (!) Unfortunately I haven't found a clean way to convert a SecKey to a -&gt; SecureEnclave.P256.Signing.PrivateKey There is a workaround to SecKeyCopyAttributes of the private key and to extract the bytes from the attributes["toid"], but I guess it's not safe to use an undocumented key ("toid") if there is no constant defined to it (the name could be changed in future releases) Second approach: Create a SecureEnclave.P256.Signing.PrivateKey Create the Certificate using the swift-certificates The created private key is protected by the secure enclave but it's not added automatically to the keychain so we should add it to can query after that the SecIdentity (!) Unfortunately I haven't found a way to convert the SecureEnclave.P256.Signing.PrivateKey to -&gt; SecKey. There are threads which say that the SecKeyCreateWithData(...) helps us, but unfortunately if we set the kSecAttrTokenIDSecureEnclave in the attribute dictionary, the method creates a brand new key for us, regardless the passed data. So the initial key will never be the same as the newly created SecKey. This we can see in the method's implementation. So I got stuck with both approaches because seemingly there is no clean way to switch between SecureEnclave.P256.Signing.PrivateKey and SecKey. One solution would be to compose manually the certificate, without swift-certificates because like that we would not need a SecureEnclave.P256.Signing.PrivateKey object. But I would like to avoid the manual composition and signature calculation... Anybody has any idea?