Is there a way to find out when the set of keychains changes? ie, when a keychain is added or removed? I searched here and grepped through the headers in Security.framework
but nothing leaped out at me -- which could just mean I missed something, as happens frequently. (This is on macOS.)
Keychain change notifications?
Check out the SecKeychainAddCallback
routine.
IMPORTANT This notification mechanism only applies to the file-based keychain [1]. There is no notification mechanism for the data protection keychain (r. 17000765). That doesn’t matter here — the data protection keychain doesn’t have the concept of a keychain search list — but this API can also tell you about items coming and going.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Per the terms defined in TN3137 On Mac keychain APIs and implementations.
That is deprecated. (Sooooooo many of the keychain APIs are deprecated.)
Yes, and?
TN3137 discusses this overall situation. It’s not that the APIs are deprecated, it’s that the whole concept of file-based keychains is deprecated. As part of that we deprecated any API that’s exclusively tied to the file-based keychain, including this one.
On the plus side, if you use the data protection keychain don’t have to worry about the keychain search list changing because there is no keychain search list there.
On the negative side, it’s likely that your product is running outside of a GUI login context and thus can’t use the data protection keychain )-:
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Ok that's how I was trying to explain the situation here, so I'm glad I got it almost exactly right. (Your explanation is less rambly than mine. Also that file-based keychains are probably not going away for quite a while.)
Merci!
(And for the keychains: we only care about the root certificates, as part of network analyses, so that's why I'm not too worried about it. We may have to worry about a root cert being added to a user's keychain, as opposed to the system one, but I believe we can worry about that later, and that later will mean we'll have code in the user agent to deal with it, so present-me is letting future-me deal with it.)