1 Reply
      Latest reply on Sep 12, 2019 12:56 AM by eskimo
      jaraco Level 1 Level 1 (0 points)

        In the Python keyring project, the project has encountered an error invoking the SecKeychainFindGenericPassword API function in a forked process.

         

        We've gotten as far as replicating the problem outside of the keyring project in a native app.

         

        As you can see in that example, a simple Objective-C application replicates the issue - the child raises a signal 11 when attempting to query the keyring in a child process.

         

        Is there a way to safely initialize a child process to support invoking the security APIs?

        • Re: Why can a forked process not access the keyring?
          eskimo Apple Staff Apple Staff (11,795 points)

          Looking at the test code you posted, it seems that you are fork’ing without exec’ing.  This generally doesn’t end well on macOS.  The problem is that most of our high-level system services rely on Mach messaging, and Mach messaging gets very confused in this state.  macOS only supports fork without exec as far as is necessary to get Posix programs up and running.

          IMPORTANT This is not specific to the keychain API.  Any API, except the very lowest level stuff in the System framework, is likely to hit similar problems.

          Is there a way to safely initialize a child process to support invoking the security APIs?

          Yep.  Just call exec (-:  Seriously though, UNIX-y programs tend to get around this restriction by exec’ing themselves after a fork, supplying a special command-line argument so that main knows to enter a “I’m here to respond to keychain requests” mode.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"