Keychain item ACL issue for authorizationhost

Question

Created Jul ’20

Replies 1

Boosts 0

Participants 2

Hi

We are working on an authorization plugin.
Privileged mechanisms in our setup store/retrieve items to/from system keychain. We add trusted applications for these keychains items via

Code Block SecTrustedApplicationCreateFromPath

, though it's now marked as deprecated. The problem via facing atm is that if the user installs our plugin on macOS 10.14 and then makes an upgrade to 10.15, our plugin loses access to these keychain items. As far as we understood, it happens because starting from 10.15

Code Block authorizationhost

uses xpc helper to access system keychain items. We tried to add explicitly

Code Block SecTrustedApplicationRef

with

Code Block /System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle

because, according to SecTrustedApplicationCreateFromPath doc:

For application bundles, use the
path to the bundle directory. Pass NULL to refer to yourself, i.e. the application or tool
making this call

but it didn't help.
Is there is a way for us to achieve what we want without lifting ACL restrictions?

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’20

As far as we understood, it happens because starting from 10.15 authorizationhost uses xpc helper to access system keychain items.

Right. Well, it’s not just about accessing the keychain, this XPC helper is responsible for running all third-party authorisation plug-in code.

I don’t see a good way around this. Even if you ignore the upgrade scenario, sharing a keychain item between third-party code and system code (and that’s what the keychain thinks your authorisation plug-in is when it’s loaded by the authorisation host process) is very tricky.

Given the above, I’m going to recommend that you open a DTS tech support incident so that I can research this in more detail.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0