How to revoke "aways allow"/"allow" of keychain access?

This is a mac app.


When I first install this app, show a window to input login password.

I allow it.

When I uninstall this app and then install it again, that window will not show.

I want to know how to revoke "aways allow"/"allow" of keychain access with objc.

What should I do? Is there a place to store this permission operation?


And I have another question:

  1. I need to store some key in default keychain.
  2. I want to store these key without input password when install app.


What should I do?


I have used the following APIs:

SecItemAdd
SecItemCopyMatching
SecItemUpdate
SecItemDelete


Thanks.

Up vote post of aiden.zhang Down vote post of aiden.zhang
2.2k views
Posted by
aiden.zhang
Reply
Add a Comment

Accepted Reply

And what do you mean "use the iOS style keychain"?

See this post.

But, one of my applications is a command line tool application

How is that tool invoked? By the user from Terminal? Or launched by a GUI app?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

If the setting allows all applications to access this keychain item.

And my question is how to allows all applications to access this item?(access to this item is not restricted)

What should I use to set the attributes?

kSecAttrAccess or kSecAttrAccessControl?

And what is the value of the key?

Posted by
aiden.zhang
Up vote reply of aiden.zhang Down vote reply of aiden.zhang
Add a Comment

When I uninstall this app and then install it again, that window will not show.

Right, that’s expected. Removing an app from the system does not (currently) remove its keychain items. If you want to invalidate a keychain item when the app is uninstalled, you’ll need to write code to do that. Exactly how you do it depends on how your app is installed and uninstalled. On iOS this is always the same, but on macOS the user has a bunch of options.

So, let’s start with a simple question: Is this a Mac App Store app?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you very much.


And this is an Enterprise app.

Now, I also want to know how to allows all applications to access the default keychain item?

I know there are some attributes to control it.

kSecAttrAccess
kSecAttrAccessControl

And I try to use them, but it doesn't work.

Now, I have no idear.

And I really want a example with attributes code.


Best Regards

Posted by
aiden.zhang
Up vote reply of aiden.zhang Down vote reply of aiden.zhang
Add a Comment

Now, I also want to know how to allows all applications to access the default keychain item?

This is tricky. macOS has two keychain flavours:

  • The original file-based keychain

  • An iOS-style keychain database

Both of these make it hard to share items across teams. So, when you say “all applications”, what do you mean? All applications in your team? Or literally all applications?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks,

There are two or more applications here in one team.

One have GUI, others are service.

I have the following questions now:

  1. I have set "allows all applications to access this item" when one application save a key, but other applications want to get this key need login password.
  2. I have set "trust list" when one application save a key, and other applications whitch in trust list need login password too when get this key.
  3. I've considered using keychain sharing, but service applications can not be configured.

Is there have some better way to share keychain item without login password?

Posted by
aiden.zhang
Up vote reply of aiden.zhang Down vote reply of aiden.zhang
Add a Comment

The easiest way to share keychain items between apps from the same team is to use the iOS style keychain, which gives you access to shared keychain access groups. See Sharing Access to Keychain Items Among a Collection of Apps.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks you very much.

But, one of my applications is a command line tool application and it does not have "Capabilities", or should I say it can't Keychain Sharing.

And what do you mean "use the iOS style keychain"?

Does it have any keywords in attributes?

Posted by
aiden.zhang
Up vote reply of aiden.zhang Down vote reply of aiden.zhang
Add a Comment

And what do you mean "use the iOS style keychain"?

See this post.

But, one of my applications is a command line tool application

How is that tool invoked? By the user from Terminal? Or launched by a GUI app?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

1

Posted by
lutfifromkarawang
Up vote reply of lutfifromkarawang Down vote reply of lutfifromkarawang
Add a Comment