1 Reply
      Latest reply on Oct 8, 2019 11:15 AM by eskimo
      Haggis Level 1 Level 1 (0 points)

        I want to embed a command line tool into my app. I would like the app to create keychain items, and access those from the tool. Has anyone done this? I've struggled for ages so far with no luck!


        To test things I have created two test apps, enabled "Keychain sharing" under Signing & Capabilities, and specified the same keychain group in both apps. With this I can access the same keychain items just fine from each app.


        However, when I embed a test Command Line Tool into one of those two apps, it doesn't seem to inherit the app's "Keychain sharing" setting, and can't access the keychain items created by the parent apps.


        The code is at https://github.com/jeff-h/sharedKeychainAccessDemo in case anyone's interested.

        • Re: How to share keychain items with embedded command line tool?
          eskimo Apple Staff Apple Staff (12,305 points)

          Sharing keychain items between an app and a tool is tricky.  As with all things keychain on the Mac, there’s two approaches you can take:

          • Using the traditional Mac file-based keychain (A)

          • Using the iOS-style database keychain (B)

          With A, access control is managed by an ACL.  The item’s creator needs to set up the ACL to allow the other party to access it.

          The problem with this approach is that critical APIs involved have been deprecated (specifically, SecTrustedApplication).

          With B, the problem is that access to the iOS-style keychain is gated by a provisioning profile, and it’s not easy to give a command line tool such a profile.  You can get around this by packaging the command-line tool into an app-like bunch, but it’s all a bit strange.

          If I were in your shoes I’d probably go for B.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"