SecItemAdd creates keychain item with label "octagon-com.apple.security.keychain" instead of provided kSecAttrLabel

I use the following code to save a private key with a custom label, but the Keychain app shows an entry with name and account octagon-com.apple.security.keychain and type Octagon Account State (com.apple.security.keychain,defaultContext). (This entry, by the way, stays in the Keychain app even after trying to remove it from the Keychain app itself.) Can these values be customized, and what is kSecAttrLabel if it's not displayed in the Keychain app? The documentation only reads The corresponding value is of type CFString and contains the user-visible label for this item.

class AppDelegate: NSObject, NSApplicationDelegate {

    func applicationDidFinishLaunching(_ aNotification: Notification) {
        do {
            try storeKey("asdf")
        } catch {
            print(error)
        }
    }
    
    private func storeKey(_ key: String) throws {
        guard let data = Data(base64Encoded: key) else {
            fatalError()
        }
        let status = SecItemAdd([kSecClass as String: kSecClassKey, kSecAttrLabel as String: "Asdf", kSecAttrApplicationTag as String: "com.example.app2".data(using: .utf8)!, kSecAttrKeyClass as String: kSecAttrKeyClassPrivate, kSecValueData as String: data, kSecAttrSynchronizable as String: true] as [String: Any] as CFDictionary, nil)
        if status != errSecSuccess {
            throw NSError(domain: NSOSStatusErrorDomain, code: Int(status))
        }
    }

}
Answered by DTS Engineer in 751829022

Octagon is effectively a code name for iCloud Keychain [1].

I use the following code to save a private key with a custom label, but the Keychain app shows an entry with name and account octagon-com.apple.security.keychain and type Octagon Account State (com.apple.security.keychain,defaultContext).

This is not your key. Rather, it’s an internal item managed by iCloud Keychain.

Keychain Access does not show key items in the data protection keychain. To quote TN3137:

Keychain Access displays all keychain items in file-based keychains but only password items in the data protection keychain.

what is kSecAttrLabel if it's not displayed in the Keychain app?

That is, indeed, its intended purpose. For a summary of the various attributes associated with key items, see SecItem attributes for keys. However, the value you use is irrelevant for keys in the data protection keychain because they don’t show up in Keychain Access at all.

ps The Less Painful Dictionaries section of SecItem: Pitfalls and Best Practices will help you reduce the amount of boilerplate in your keychain code.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I’m not sure if it’s a code name for iCloud Keychain per se, or some subsystem within that, but if you look in the Darwin source for the Security framework you’ll see the keychain item syncing code is litered with that code name.

Accepted Answer

Octagon is effectively a code name for iCloud Keychain [1].

I use the following code to save a private key with a custom label, but the Keychain app shows an entry with name and account octagon-com.apple.security.keychain and type Octagon Account State (com.apple.security.keychain,defaultContext).

This is not your key. Rather, it’s an internal item managed by iCloud Keychain.

Keychain Access does not show key items in the data protection keychain. To quote TN3137:

Keychain Access displays all keychain items in file-based keychains but only password items in the data protection keychain.

what is kSecAttrLabel if it's not displayed in the Keychain app?

That is, indeed, its intended purpose. For a summary of the various attributes associated with key items, see SecItem attributes for keys. However, the value you use is irrelevant for keys in the data protection keychain because they don’t show up in Keychain Access at all.

ps The Less Painful Dictionaries section of SecItem: Pitfalls and Best Practices will help you reduce the amount of boilerplate in your keychain code.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I’m not sure if it’s a code name for iCloud Keychain per se, or some subsystem within that, but if you look in the Darwin source for the Security framework you’ll see the keychain item syncing code is litered with that code name.

SecItemAdd creates keychain item with label "octagon-com.apple.security.keychain" instead of provided kSecAttrLabel
 
 
Q