Keychain item access for self signed apps in Sierra

In El Capitan and earlier it's possible to code sign an application using a self-signed identity created with the Certificate Assistant in Keychain Access and the app would reap many benefits of being signed, for example access to keychain items without being prompted. In Sierra this appears to have changed so if a self-signed application creates a new keychain item, then later a modified version of the same application signed with the same identity using the same app identifier is not allowed to read the previously created keychain item without being prompted for access. If instead the same test is carried out using an app signed with an Apple Developer Program dev certificate/identity, no keychain access prompts are shown and the app is recognized and allowed access.


Have looked at TN2206, but haven't found any documentation around this new behavior and whether it's somehow possible to work around using self-signed identities, or if the only way forward in Sierra is to move to Apple dev certs for uninterupted keychain access during development?

Replies

I’m not sure what’s going on here. If you really want to dig into it you should:

  1. Check that the designated requirement for your app is being preserved across builds

  2. Look at the access control list for the keychain item you created

However, IMO the way forward here is very clear: use an Apple-issued certificate for your development. That’s the well-trodden path. Self-signed code signing certificates were useful back when code signing was first introduced but nowadays they’re just a historical oddity.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"