After I generate an App Store Connect API key and download it, I would like to be able to keep this p8 key in the keychain to keep it secure.
How can I do that?
It does not appear that the Keychain Access application can import these keys directly.
If this is not recommended, what is the standard practice for keeping these keys secure?
Hello MrLinear,
What are you trying to accomplish by storing the .p8 key in the System Keychain? "Secure" can mean a few different things based off of the context of the environment that you are working with.
To answer the question though, the .p8 key is simply a string of text identifying your private key. What you can do is open this with any raw text editor and then create a new password in your system keychain, name it something unqiue, then store the text as the password. This is really your only option for putting this into the system keychain, but depending on the environment where this exists, you might want to use a custom keychain and then reference that keychain specifically when working with the API or environment in which you are building to interact with the App Store Connect API.
If you can share more information about the environment I would be happy to dive deeper into the solution with you!
Hopefully this helps!
I am only looking for best practices here. The 2018 WWDC video discussing this only spent a few moments on the topic and only specifically mentioned that one need to be careful with permissions if the file was stored on disk. For Unix based system, I would imagine that one would use 0600.
For macOS, using the Keychain seems to be the most natural place to keep it. I wasn't sure if there was some other way to store the private key in the Keychain other then pretending that it is just a rather long password.
There are plenty of good libraries out there that can communicate with the keychain and keep the key in memory so it never needs to be written to disk when actually accessed.
