First up, I’m going to use the terms from TN3137 On Mac keychain APIs and implementations. Read it before continuing here.
On my macos 13.4.1 if we use kSecUseDataProtectionKeychain
to save
passwords into the keychain, then the keys are create sometimes into
login
keychain, but sometimes [in the data protection keychain]
When you add an item using SecItemAdd
, specifying kSecUseDataProtectionKeychain
will always result in the item going into the data protection keychain. It’ll never go into the file-based keychain. If you see that happening, that’s very likely a bug in your code or an issue with how you’re interpreting the results.
Keep in mind that, once you create an item, it’ll stay in the keychain that you created it in. So a common source of confusion is to create an item in the file-based keychain, then update your code to use kSecUseDataProtectionKeychain
, and then wonder why it’s still in the file-based keychain.
If you rule out the above possibility and are still seeing problems, please post a snippet showing how you reproduce the issue.
And does it mean that if the key is into the [data protection]
keychain it will be sync on other devices, even if it doesn't have
kSecAttrSynchronizable
?
No. Items in the data protection keychain are only synced if:
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"