can an xpc service access the keychain.

Question

Created 5d

Replies 3

Boosts 0

Participants 2

I am trying to create an app bundle with an xpc service. The main app creates a keychain item, and attempts to share (keychain access groups) with the xpc service it includes in its bundle. However, the xpc service always encounters a 'user interaction not allowed' error regardless of how I create the keychain item. kSecAttrAccessiblei is set to kSecAttrAccessibleWhenUnlockedThisDeviceOnly, the keychain access group is set for both the main app and the xpc service and in the provisioning profile. I've tried signing and notarizing.

Is it ever possible for an xpc service to access the keychain? This all on macos 15.5.

Answered by DTS Engineer in 850067022

Are you sure you opted in to the data protection keychain? By default macOS uses the file-based keychain, and the keychain item sharing story there is much more convoluted.

See TN3137 On Mac keychain APIs and implementations for more background about these terms.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

4d

Recommended

Are you sure you opted in to the data protection keychain? By default macOS uses the file-based keychain, and the keychain item sharing story there is much more convoluted.

See TN3137 On Mac keychain APIs and implementations for more background about these terms.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

cosmosnicolaou OP

4d

Thanks for the response. I had tried that, but it was being rejected with the error 'One or more parameters passed to a function were not valid.' However, this turned out to be because I was passing in the valueData as a string and not as Data(). This is accepted for the file-based keychain implementation, but not the data protection keychain. With that change, things work!

It now works as expected, thanks for your help!

0

Answer 3

DTS Engineer OP

Apple

3d

With that change, things work!

Yay!

And we prefer folks to use the data protection keychain, so this is a win all round.

This is accepted for the file-based keychain implementation, but not the data protection keychain.

Ah, yes, fun with the shim. I talk about this problem in general in the Careful With that Shim, Mac Developer section of SecItem: Pitfalls and Best Practices.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0