Keychain item ACL issue for authorizationhost

Hi

We are working on an authorization plugin.
Privileged mechanisms in our setup store/retrieve items to/from system keychain. We add trusted applications for these keychains items via 
Code Block 
SecTrustedApplicationCreateFromPath
, though it's now marked as deprecated. The problem via facing atm is that if the user installs our plugin on macOS 10.14 and then makes an upgrade to 10.15, our plugin loses access to these keychain items. As far as we understood, it happens because starting from 10.15 
Code Block 
authorizationhost
uses xpc helper to access system keychain items. We tried to add explicitly 
Code Block 
SecTrustedApplicationRef
with 
Code Block 
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle
because, according to SecTrustedApplicationCreateFromPath doc:

For application bundles, use the
path to the bundle directory. Pass NULL to refer to yourself, i.e. the application or tool
making this call

but it didn't help.
Is there is a way for us to achieve what we want without lifting ACL restrictions?
Up vote post of Kopanja Down vote post of Kopanja
602 views
Posted by
Kopanja
Reply
Add a Comment

Replies

As far as we understood, it happens because starting from 10.15 authorizationhost uses xpc helper to access system keychain items.

Right. Well, it’s not just about accessing the keychain, this XPC helper is responsible for running all third-party authorisation plug-in code.

I don’t see a good way around this. Even if you ignore the upgrade scenario, sharing a keychain item between third-party code and system code (and that’s what the keychain thinks your authorisation plug-in is when it’s loaded by the authorisation host process) is very tricky.

Given the above, I’m going to recommend that you open a DTS tech support incident so that I can research this in more detail.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment