Big Sur and later: when user interaction is required to modify trust settings of certificates as root?

Code Signing Entitlements
ondra k OP
Created Jul ’21
Replies 1
Boosts 0
Views 913
Participants 2

On Big Sur, user interaction is sometimes necessary to modify trust settings of a certificate (see https://developer.apple.com/documentation/macos-release-notes/macos-big-sur-11_0_1-release-notes#Security). This means that sometimes, app calling SecTrustSettingsSetTrustSettings blocks until user enters password even if it is running as root (or fails with "The authorization was denied since no user interaction was possible" if it is run from a context where user session is not available).

But it seems that for vast majority of machines, entering the password is not necessary (for other voice confirming this, please see https://developer.apple.com/forums/thread/671582).

Please is there any way how to check whether user interaction will be required for this operation on the machine in advance? Be it via api or some characteristics of the system? This would lead to better user experience of our app...

Replies  1
Boosts  0
Views  913
Participants  2
Systems Engineer OP
Apple
Jul ’21

Please is there any way how to check whether user interaction will be required for this operation on the machine in advance

Not that I am aware of. I think it would be wise to always take into account that when you are altering the trust settings on a Certificate to always make sure that a actual user is there enter credentials. That way a user knows that a certificate is being deemed trusted as and this is not happening in the background on their behalf.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
Big Sur and later: when user interaction is required to modify trust settings of certificates as root?
First post date Last post date
 
 
Q