I have a cert in a key chain that contains a private key. I'd like to add an application to the access control "white list" for that key. I know how to do this using the graphical key chain tool, but I'd like to do it via the command line (inside post install script) or programmatically. Is it possible it do so?
How to modify access control for private key in keychain
Can you explain more about your overall goal here? Specifically, how did this private key get into this keychain? And do you control the app that’s going to read this private key?
This matters because changing a private key’s ACL after the fact generally requires user approval, which I presume you’re trying to avoid. You can also run into keychain partitioning problems.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Thanks for the response @eskimo.
Can you explain more about your overall goal here?
We have two apps which follow different release cycle. 1st app has created an keypair entry in the keychain and already present in field on deployment setups. Now we want to release our 2nd app which wants to access the keychain entry. Since the 2nd app is not whitelisted in the ACL, I want the 2nd app installer to make that entry in ACL.
Can it be done somehow programmatically without deleting the existing entry?
We have two apps which follow different release cycle.
These are both signed by the same team?
Also, are you using apps to mean GUI programs that users launch from the Finder? Or in a more generic sense?
By far the best way to achieve this goal is to switch to the data protection keychain and put the item into a keychain access group. The data protection keychain has a completely different access control model, so you’ll never see these alerts again.
Note If you’re not familiar with the term data protection keychain, see TN3137 On Mac keychain APIs and implementations.
This approach works if:
-
Both programs are from the same team.
-
Both programs are bundled, so that they can carry a provisioning profile to authorise the use of the entitlements needed to access the data protection keychain. This includes apps and app extensions, but can include other stuff like a
launchd
agent. -
Both programs are running in the same GUI user context. A third-party
launchd
daemon can’t use the data protection keychain.
If you continue with the file-based keychain then, yeah, it’s nothing but pain. To avoid alerts:
-
Both programs must be from the same team.
-
The program that initially sets up the keychain items must include the other program in its ACL (using the deprecated, but still required in this case,
SecTrustedApplication
).
If you have a keychain item where the ACL isn’t set up correctly, there is no way to change the ACL without user approval.
One option for a password item is to have the first program migrate the password to the data protection keychain. However, that won’t work for a private key (unless you initially set it up to be extractable, which isn’t the default).
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"