SecTrustedApplicationCreateFromPath removed

Trying to compile my app using XCode 11.0 Beta 2 and I see that SecTrustedApplicationCreateFromPath() has been removed.


A little surprising, usually things are deprecated for a year or so before being removed. I don't see any alternate API being recommended, and I have no idea how to proceed.


I just need to share a keypair between a daemon and an application. Can anyone point me in the right direction?

Replies

Hmmm, that’s unexpected. Please file a bug about this, then post your bug number here, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I entered FB6193133. Thanks!

My feedback number for this is FB6204258.


My understanding that this could be intentional from Apple, they have added kSecUseDataProtectionKeychain attribute in 10.15 that allows kSecAttrAccessGroup to be used in macOS for non-synced keychain items. I have not tested it though but that is my best guess.


If that is correct, then there is a problem of supporting older macOS versions. How can I release an update for 10.15 while supporting 10.14 and 10.13 if SecTrustedApplicationCreateFromPath is no longer allowed by compiler?

This surprised me too. I filed FB6481613.

Hi Quinn,


We were suprised by this as well and filed FB6161750. We got a reply that it was intentional, but the recommendations didn't make any sense. There have been no responses to our request for clarification.


Thanks,

Josh

I am having the same troubles. My bug report has is FB6708835

FB6115774 for me.


Was also told it was intentional and to use SecACLUpdateAuthorizations(), which, as far as I can tell, ultimately requires SecTrustedApplicationCreateFromPath(). Even if there is a newer way to accomplish this, the docs don't state what that is and since it was marked unavailable across even older versions of macOS, this will end up breaking things there.

I just sent FB6783909. My report:

I'm using SecTrustedApplicationCreateFromPath in my app Deliveries for the Mac App Store. Deliveries has a helper app, Deliveries Express, and two extensions (Share and Today) that all need access to the same keychain items. Whenever possible, I use a keychain access group to make keychain items available to all parts of the app, as this is a vastly preferable experience for everyone. However, as you know, this is only available to items that are marked as syncing on macOS.


Because of that limitation, I create a list of apps that should have access using SecTrustedApplicationCreateFromPath. I then pass my list of trusted application references to SecAccessCreate, and set the kSecAttrAccess key on the keychain item. In Xcode 11, SecTrustedApplicationCreateFromPath is marked unavailable, so I can no longer compile a working version of my app. I'm not aware of an adequate workaround other than continuing to build with Xcode 10.x.


There's some discussion on this here: [link to this thread] It seems other developers have been told this change is intentional, and at least one person was told to use SecACLUpdateAuthorizations instead. As far as I can tell this requires one to use SecACLCreateWithSimpleContents, which has an applicationList parameter, which one would create using SecTrustedApplicationCreateFromPath. I would greatly appreciate some clarification on the recommended approach.

Whenever possible, I use a keychain access group to make keychain items available to all parts of the app, as this is a vastly preferable experience for everyone. However, as you know, this is only available to items that are marked as syncing on macOS.

If you want iOS-style keychain access groups without the sync, there’s a good solution for you on 10.15, namely

kSecUseDataProtectionKeychain
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Oh I missed that, thanks for the heads up! Unfortunately I still need support for 10.13+, but this sounds like a clear improvement for those on the latest OS.

Good news, starting from Xcode 12 beta 5 SecTrustedApplicationCreateFromPath is no longer marked as unavailable, just as deprecated.


It has a comment "no longer supported" in the header file, I guess that means that it won't work in 10.15 anymore and you need to use now kSecUseDataProtectionKeychain there instead.


However, you can now build with it and use it for 10.14 and earlier versions of macOS.

HI Quinn, Can we use "kSecUseDataProtectionKeychain" with launch daemons as well as there is no support for provisioning profiles for launch daemons? thanks.

I believe it’s possible, but you have to package the daemon into a bundle so that there’s a place to store the provisioning profile. That, in turn, means you’ll need to install your daemon via an installer, because

SMJobBless
can only deal with a ‘flat’ executable.

I’m pretty sure that one of my colleagues has done exactly this in a completely different context. If you run into problems, open a DTS tech support incident and either he or I can respond officially [1].

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Technically

kSecUseDataProtectionKeychain
is a macOS 10.15 beta feature, and DTS isn’t yet supporting that. However, it’s easy enough to cast your question in terms of stuff that’s included in macOS 10.14.