Any way to avoid 2 keychain prompts when retrieving 1 password?

You typically only see these prompts if you’re accessing keychain items that you didn’t create. Is that the case here?

The other possibility is that your code isn’t signed with a stable code signing identity. And if that’s the case then there’s an easy fix (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ DTS @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 22 Jun through to Fri, 26 Jun. During that time all of DTS will be busy with conference duties.

They are keychain items that I created, but I suppose that they might predate a revision to my developer ID certificate that happened some time in 2017. That's probably it.

Keychain items aren't keyed to the name of the app, are they? I ask because if I get info on a keychain item in Keychain Access, under Access Control I see one or more application names. A debug build of my app has a different name from a release build, so I was wondering whether that might confuse things.

Keychain items aren't keyed to the name of the app, are they?

No. Unless you go out of the way to change his, a keychain item’s ACL is set to the designated requirement (DR) of the app that created it. To view your app’s DR, run this command:

Code Block  
% codesign -d -r - "/Applications/Searchiverse 3.app "
Executable=/Applications/Searchiverse 3.app/Contents/MacOS/Searchiverse 3
designated => anchor apple generic and identifier "com.example.apple-samplecode.Searchiverse" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = SKMME9E2Y8)

This breaks down as follows:

• Most of the goo indicates that it’s a Developer ID signed app.

• certificate leaf[subject.OU] = SKMME9E2Y8 tells you the Team ID.

• identifier "com.example.apple-samplecode.Searchiverse" is the code signing identifier, which uniquely identifies the code within that team (for bundled code, this defaults to the bundle ID).

A debug build of my app has a different name from a release build, so I was wondering whether that might confuse things.

Right. Debug and release builds will typically have different DRs.

---

One way to avoid this whole problem is to switch to the iOS-style keychain. This means:

• Using the SecItem API

• Passing in kSecUseDataProtectionKeychain

• Making sure you app has a provisioning profile

The iOS-style keychain has a much simpler access control model and that makes it easier to avoid problems like this. It also supports a bunch of nice features, like biometrics.

Share and Enjoy
—
Quinn “The Eskimo!” @ DTS @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 22 Jun through to Fri, 26 Jun. During that time all of DTS will be busy with conference duties.

@eskimo, regarding your comment "Making sure you app has a provisioning profile", how do I do that? Under my developer account, I can see a list of profiles, but nothing about how to create one. And in Xcode's account preferences, there is a button "Download Manual Profiles", but it's not clear that anything happens when I click it.

Under my developer account, I can see a list of profiles, but nothing about how to create one.

If you’re using automatic code signing, Xcode only creates a profile for you if it thinks you need it. Alas, when working with the keychain Xcode can’t infer that you want to use the iOS-style keychain. The best way to force its hand is to enable the Keychain Sharing capability. You don’t have to list any keychain access groups, just the presence of that capability is sufficient.

Share and Enjoy
—
Quinn “The Eskimo!” @ DTS @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 22 Jun through to Fri, 26 Jun. During that time all of DTS will be busy with conference duties.

And if I use manual code signing, is there any way to make a profile?

If you manually code sign then you are responsible for creating profiles on the developer web site. Log in to your account and then go to the Certificates, Identifiers and Profiles section.

Share and Enjoy
—
Quinn “The Eskimo!” @ DTS @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

WWDC runs Mon, 22 Jun through to Fri, 26 Jun. During that time all of DTS will be busy with conference duties.

I've been to the "Certificates, Identifiers and Profiles" section of my account, but when I go to the Profiles subsection, there is no button or plus sign to create one. (Whereas, in the Certificates subsection, I do see a plus button.)

Is this an Organization team? Or an Individual team?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

FWIW, I often/always get this even in KeychainAccess.app, when copying a password or checking the "show password" checkbox. Two prompts before the password shows/is copied.

Never seen it from my own apps/code.