Hi, I have just found this thread, and I am an XPC/daemon developer (for an authorization plugin, which is also important here), so I cannot move to data protection keychain.
Our flow has been the following:
- Create a keychain item in System keychain in the daemon:
SecTrustedApplicationCreateFromPath to create trusted app references for all variations of authorizationhost and SecurityAgentHelper.SecAccessCreate to create a SecAccess item that includes all SecTrustedApplications from above.SecItemAdd / SecItemUpdate to save the item with this SecAccess instance added to the attributes dictionary: [kSecAttrAccess as String: access]
This is all working fine. But then, if I were to
- Delete this keychain item in the daemon:
SecTrustedApplicationCreateFromPath to create trusted app references for all variations of authorizationhost and SecurityAgentHelper.SecAccessCreate to create a SecAccess item that includes all SecTrustedApplications from above.SecItemDelete to delete the item with this SecAccess instance added to the attributes dictionary: [kSecAttrAccess as String: access]
I get the above mentioned errSecInvalidOwnerEdit error.
What I noticed is that if I add the daemon itself as another SecTrustedApplication to the SecAccess that is created, then the issue is solved. Why can I create and update an item from the daemon, but not delete, if it was the daemon that created the keychain item previously, in another invocation? Is this an expected behavior?
