12 Replies
      Latest reply on Sep 19, 2019 11:14 AM by sanaw
      jimbojj Level 1 Level 1 (0 points)

        Trying to compile my app using XCode 11.0 Beta 2 and I see that SecTrustedApplicationCreateFromPath() has been removed.

         

        A little surprising, usually things are deprecated for a year or so before being removed.   I don't see any alternate API being recommended, and I have no idea how to proceed.

         

        I just need to share a keypair between a daemon and an application.   Can anyone point me in the right direction?

        • Re: SecTrustedApplicationCreateFromPath removed
          eskimo Apple Staff Apple Staff (11,845 points)

          Hmmm, that’s unexpected.  Please file a bug about this, then post your bug number here, just for the record.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: SecTrustedApplicationCreateFromPath removed
              jimbojj Level 1 Level 1 (0 points)

              I entered FB6193133.  Thanks!

              • Re: SecTrustedApplicationCreateFromPath removed
                Mr. Brightside Level 2 Level 2 (55 points)

                My feedback number for this is FB6204258.

                 

                My understanding that this could be intentional from Apple, they have added kSecUseDataProtectionKeychain attribute in 10.15 that allows kSecAttrAccessGroup to be used in macOS for non-synced keychain items. I have not tested it though but that is my best guess.

                 

                If that is correct, then there is a problem of supporting older macOS versions. How can I release an update for 10.15 while supporting 10.14 and 10.13 if SecTrustedApplicationCreateFromPath is no longer allowed by compiler?

                • Re: SecTrustedApplicationCreateFromPath removed
                  Ryder Level 1 Level 1 (0 points)

                  This surprised me too. I filed FB6481613.

                  • Re: SecTrustedApplicationCreateFromPath removed
                    NoMAD-Dev Level 1 Level 1 (20 points)

                    Hi Quinn,

                     

                    We were suprised by this as well and filed FB6161750. We got a reply that it was intentional, but the recommendations didn't make any sense. There have been no responses to our request for clarification.

                     

                    Thanks,

                    Josh

                    • Re: SecTrustedApplicationCreateFromPath removed
                      depth42 Level 1 Level 1 (0 points)

                      I am having the same troubles. My bug report has is FB6708835

                      • Re: SecTrustedApplicationCreateFromPath removed
                        Mr_Noodle Level 1 Level 1 (0 points)

                        FB6115774 for me.

                         

                        Was also told it was intentional and to use SecACLUpdateAuthorizations(), which, as far as I can tell, ultimately requires SecTrustedApplicationCreateFromPath(). Even if there is a newer way to accomplish this, the docs don't state what that is and since it was marked unavailable across even older versions of macOS, this will end up breaking things there.

                        • Re: SecTrustedApplicationCreateFromPath removed
                          robotspacer Level 1 Level 1 (10 points)

                          I just sent FB6783909. My report:

                          I'm using SecTrustedApplicationCreateFromPath in my app Deliveries for the Mac App Store. Deliveries has a helper app, Deliveries Express, and two extensions (Share and Today) that all need access to the same keychain items. Whenever possible, I use a keychain access group to make keychain items available to all parts of the app, as this is a vastly preferable experience for everyone. However, as you know, this is only available to items that are marked as syncing on macOS.

                           

                          Because of that limitation, I create a list of apps that should have access using SecTrustedApplicationCreateFromPath. I then pass my list of trusted application references to SecAccessCreate, and set the kSecAttrAccess key on the keychain item. In Xcode 11, SecTrustedApplicationCreateFromPath is marked unavailable, so I can no longer compile a working version of my app. I'm not aware of an adequate workaround other than continuing to build with Xcode 10.x.

                           

                          There's some discussion on this here: [link to this thread] It seems other developers have been told this change is intentional, and at least one person was told to use SecACLUpdateAuthorizations instead. As far as I can tell this requires one to use SecACLCreateWithSimpleContents, which has an applicationList parameter, which one would create using SecTrustedApplicationCreateFromPath. I would greatly appreciate some clarification on the recommended approach.

                            • Re: SecTrustedApplicationCreateFromPath removed
                              eskimo Apple Staff Apple Staff (11,845 points)

                              Whenever possible, I use a keychain access group to make keychain items available to all parts of the app, as this is a vastly preferable experience for everyone. However, as you know, this is only available to items that are marked as syncing on macOS.

                              If you want iOS-style keychain access groups without the sync, there’s a good solution for you on 10.15, namely kSecUseDataProtectionKeychain.

                              Share and Enjoy

                              Quinn “The Eskimo!”
                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                              let myEmail = "eskimo" + "1" + "@apple.com"

                          • Re: SecTrustedApplicationCreateFromPath removed
                            Mr. Brightside Level 2 Level 2 (55 points)

                            Good news, starting from Xcode 12 beta 5 SecTrustedApplicationCreateFromPath is no longer marked as unavailable, just as deprecated.

                             

                            It has a comment "no longer supported" in the header file, I guess that means that it won't work in 10.15 anymore and you need to use now kSecUseDataProtectionKeychain there instead.

                             

                            However, you can now build with it and use it for 10.14 and earlier versions of macOS.