Hi, I have just found this thread, and I am an XPC/daemon developer (for an authorization plugin, which is also important here), so I cannot move to data protection keychain.
Our flow has been the following:
- Create a keychain item in System keychain in the daemon:
SecTrustedApplicationCreateFromPath
to create trusted app references for all variations of authorizationhost
and SecurityAgentHelper
.SecAccessCreate
to create a SecAccess
item that includes all SecTrustedApplications
from above.SecItemAdd
/ SecItemUpdate
to save the item with this SecAccess
instance added to the attributes dictionary: [kSecAttrAccess as String: access]
This is all working fine. But then, if I were to
- Delete this keychain item in the daemon:
SecTrustedApplicationCreateFromPath
to create trusted app references for all variations of authorizationhost
and SecurityAgentHelper
.SecAccessCreate
to create a SecAccess
item that includes all SecTrustedApplications
from above.SecItemDelete
to delete the item with this SecAccess
instance added to the attributes dictionary: [kSecAttrAccess as String: access]
I get the above mentioned errSecInvalidOwnerEdit
error.
What I noticed is that if I add the daemon itself as another SecTrustedApplication
to the SecAccess
that is created, then the issue is solved. Why can I create and update an item from the daemon, but not delete, if it was the daemon that created the keychain item previously, in another invocation? Is this an expected behavior?