Cannot access keychain in daemon.

My macOS app contains basic GUI client and daemon which reads/writes some private data into default keychain at dameon startup. I build a pkg installer to distribute the app which has post install script to create an plist entry in LaunchDameon and start the daemon after installation.


Above all works fine if I sign the app with developer certificate and pkg installer with Developer ID installer cert but if I sign the app with Developer ID Application (distribution certificate), I cannot access the Keychain in daemon.


dameon throws below error:

code: -25308, message: "User interaction is not allowed."


console app has following log

19:14:23.073923 -0700 securityd 96 0x7f892d324db0(0x7f892d3250d0) unlocking for makeUnlocked()
19:14:23.073965 -0700 securityd 96 reading system unlock record from /var/db/SystemKey
19:14:23.081023 -0700 trustd 170 OCSPResponse: single response has extension(s).
19:14:23.082415 -0700 trustd 170 asynchronously fetching CRL (http://crl.apple.com/root.crl) for client (securityd[96]/0#-1 LF=0)
19:14:23.082463 -0700 trustd 170 cert[2]: AnchorTrusted =(leaf)[force]> 0
19:14:23.086401 -0700 securityd 96 code requirement check failed (-67050), client is not Apple-signed
19:14:23.086421 -0700 securityd 96 Keychain query for process 2794 (UID 0)
19:14:23.086452 -0700 securityd 96 client is valid, proceeding
19:14:23.086787 -0700 securityd 96 code requirement check failed (-67050), client is not Apple-signed
19:14:23.086866 -0700 securityd 96 displaying keychain prompt for /Applications/MyApp.app/Contents/Resources/dameon-p(2794)
19:14:23.087276 -0700 securityd 96 new SecurityAgentConnection(0x70000ebe2410)
19:14:23.087295 -0700 securityd 96 new SecurityAgentXPCQuery(0x70000ebe2410)
19:14:23.087636 -0700 securityd 96 code requirement check failed (-67050), client is not Apple-signed
19:14:23.087667 -0700 securityd 96 activate(0x70000ebe2410)
19:14:23.087735 -0700 securityd 96 MacOS error: -25337
19:14:23.088876 -0700 securityd 96 CSSM Exception: 224 unknown error 224=e0
19:14:23.089677 -0700 securityd 96 SecurityAgentXPCQuery(0x70000ebe2410) dying
19:14:23.089695 -0700 securityd 96 SecurityAgentConnection(0x70000ebe2410) dying
19:14:23.094558 -0700 dameon-p 2794 CSSM Exception: -2147415840 CSSMERR_CSP_NO_USER_INTERACTION


If I read above log correctly, securityd is complaining that daemon is not Apple-signed but not sure if that means signing with AppStore distribution certificate is needed for daemon to access keychain.


Anyone saw this behavior before? Few people online suggested to use SessionCreate key in LaunchDaemon plist and setting it to true but that didn't made any difference.

Replies

Are you trying to use the iOS-style keychain? Or the original file-based keychain?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"