Post not yet marked as solved
/usr/bin/codesign --force --sign 0CC6....97 --entitlements /Users/<home>/Library/Developer/Xcode/DerivedData/testcodesignin01-goacjvxyeavzuvdynuqnejjbaqjo/Build/Intermediates.noindex/testcodesignin01.build/Debug-iphoneos/testcodesignin01.build/testcodesignin01.app.xcent --timestamp=none /Users/<home>/Library/Developer/Xcode/DerivedData/testcodesignin01-goacjvxyeavzuvdynuqnejjbaqjo/Build/Products/Debug-iphoneos/testcodesignin01.appWarning: unable to build chain to self-signed root for signer "Apple Development: <myappacountemail> (myaccountid)"/Users/<home>/Library/Developer/Xcode/DerivedData/testcodesignin01-goacjvxyeavzuvdynuqnejjbaqjo/Build/Products/Debug-iphoneos/testcodesignin01.app: errSecInternalComponent
Post not yet marked as solved
Error in Xcode 10.3 on macOS 10.15.3 on executing command SecCodeCopyGuestWithAttributes for macOS Cocoa application.[logging-persist] os_unix.c:43353: (0) open(/var/db/DetachedSignatures) - Undefined error: 0The file /var/db/DetachedSignatures does not exist. Any reason why? How to fix this?
Post not yet marked as solved
Hey there,I'm having trouble with an macOS app and it's connected privileged helper tool. It looks like there is a problem with the new TCC - Files And Folders security layer. The console says pretty clear:-[TCCDAccessIdentity staticCode]: static code for: identifier /Library/PrivilegedHelperTools/com.my.HelperTool, type: 1: 0x7fdd0b61d300 at /Library/PrivilegedHelperTools/com.my.HelperToolRefusing TCCAccessRequest for service kTCCServiceSystemPolicyDownloadsFolder from client /Library/PrivilegedHelperTools/com.my.HelperTool in background sessionResetting permissions via tccutil didn't help. The app and the helper tool is successfully codesigned and notarized (but not sandboxed). Any tips how to satisfy TCC? Anything I can check? Any documentation beside WWDC 2019 – Advances in macOS Security?Btw. I'm on Catalina 10.15.4thanks a lot,Gary
I've just built an app, signed it with my Developer ID certificate, and had it successfully notarized. However, when I download a zipped copy of the app in macOS 10.15.5 and try to run it, I get the "“XYZ” can’t be opened because Apple cannot check it for malicious software" error message. The same zip file works fine in 10.14.6 and earlier.All of the usual checks to make sure the app is signed and notarized properly report that it is:% codesign --verbose --verify XYZ.app
XYZ.app: valid on disk
XYZ.app: satisfies its Designated Requirement
% xcrun stapler validate XYZ.app
Processing: /path/to/XYZ.app
The validate action worked!
% spctl --assess --verbose XYZ.app
XYZ.app: accepted
source=Notarized Developer IDPrevious versions of the app had no issue with notarization. I haven't changed anything significant in the app since its last release, aside from a few bugfixes, nor have I changed the method I use to sign or notarize it.What's going wrong? I've had so many headaches due to the new notarization requirement, so I'm quite dismayed I've run into another one. And due to the black-box nature of notarizing there's no way for me to figure out what's going wrong other than to ask here!
Post not yet marked as solved
The use case is enterprise Admin wants to enable/disable Safari Extension without user's involvement. Currently, the onus is on User to enable/disable the extension.
In managed endpoint environment, the Admin needs control to enable certain extension silently/automatically (without user's involvement)
Post not yet marked as solved
We are working on a banking application with sms authentication with otp.
We have tagged our ITUextfields correctly with the type .oneTimeCode
With some codes this is not being suggested on the keyboard as would be expected. In Messages app they are not suggested for copying either, but we don't know why.
Aviso Bankia: Solicitado 27/05 consulta del PIN de tu tarjeta *0285 en Bankia Online. Codigo Firmamovil: 9N2U --> suggested correctly
Aviso Bankia: Solicitado 27/05 consulta del PIN de tu tarjeta *0285 en Bankia Online. Codigo Firmamovil: 9QNJ --> It's not suggested
Aviso Bankia: Alta de la tarjeta *285 en Apple Pay 28/05. Codigo Firmamovil: RB7V --> suggested correctly
Aviso Bankia: Alta de la tarjeta *028 en Apple Pay 29/06. Codigo Firmamovil: 9TVT --> It's not suggested
Aviso Bankia: Solicitado 27/05 consulta del PIN de tu tarjeta *0285 en Bankia Online. Codigo Firmamovil: 3T3E --> suggested correctly
Aviso Bankia: Solicitada consulta de CVV de su tarjeta ***0285 en Bankia Online. 28/05. Codigo Firmamovil: 8MQG --> It's not suggested
Thanks.
Post not yet marked as solved
Hi,
I'm trying to verify the signature in the sample provided here:
https://developer.apple.com/documentation/storekit/skadnetwork/verifying_an_install_validation_postback
I created the following files: apple.pub
----BEGIN PUBLIC KEY
MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEMyHD625uvsmGq4C43cQ9BnfN2xsl
VT5V1nOmAMP6qaRRUll3PB1JYmgSm+62sosG----END PUBLIC KEY
2. signature.bin
Contains base64 decoding of
MDYCGQCsQ4y8d4BlYU9b8Qb9BPWPi+ixk/OiRysCGQDZZ8fpJnuqs9my8iSQVbJO/oU1AXUROYU=
3. message.bin
Contains the '\u2063' delimited string:
0com.example425254630296aafb7a5-0170-41b5-bbe4-fe71dedf1e2811234567891
But trying to verify the signature using the command below returns "Verification Failure":
openssl dgst -sha256 -verify apple.pub -signature signature.bin message.bin
What's the problem and how can the signature be verified using openssl?
Post not yet marked as solved
I'm trying to interact with a remote server that requires a client certificate. I have obtained the required info from a separate login tool from the same vendor. However, I am having no end of trouble connecting the dots.
Specifically I can't manage to get the needed SecIdentity from the raw PEM data.
Here is the code (with actual data copy/pasted from vendor, but truncated here):
let pemString =
"""----BEGIN PRIVATE KEY
MIGHAg(key contents truncated)QS1osPzBH8----END PRIVATE KEY
----BEGIN CERTIFICATE
MIIDkT(cert contents trucated)1yIMCYx2E=----END CERTIFICATE
----BEGIN CERTIFICATE
MIIDWD(cert contents trucated)e19Jv799c=----END CERTIFICATE
"""
let pemData = pemString.data(using: .utf8)!
var inputFormat :SecExternalFormat = .formatUnknown
var itemType :SecExternalItemType = .itemTypeUnknown
var itemsCFArray :CFArray? = nil
let error = SecItemImport(pemData as CFData, nil, &amp;inputFormat, &amp;itemType, [], nil, nil, &amp;itemsCFArray)
let errorString = SecCopyErrorMessageString(error, nil)
The error is always "Unknown format in import."
Any ideas why this is returning "Unknown format"?
Hi everyone,
I am trying to authenticate an user through ASWebAuthenticationSession, and after that redirect to an URL that uses the callback scheme.
The authentication page URL is correctly loaded on a browser thanks to ASWebAuthenticationPresentationContextProviding.
But after form completed and authentication successfully, what I am doing is a redirect directly from my server to "http://localhost:5000/ios/hola?hola=hola"
I am trying to catch this URL using a callbackScheme in my iOS app, using the same url that the one which I redirected the browser to, but this is not working.
I also tried to create a Scheme URL to my identifier, and pass it to the callbackScheme, but this is not working either. Documentation is not very clear at how to manage the authentication callback and as a beginner I don't know the way to solve this.
Some help would be appreciated. Thank you for your time!
PD: This is the code of my class
@available(iOS 12.0, *)
class AuthView: UIViewController {
var authSession: ASWebAuthenticationSession!
override func viewDidLoad() {
super.viewDidLoad()
if #available(iOS 13.0, *) {
configureAuthSession()
}
}
	 @available(iOS 13.0, *)
private func configureAuthSession() {
let urlString = "http://localhost:3000/"
guard let url = URL(string: urlString) else { return }
let callbackScheme = "http://localhost:5000/ios/matriga/hola"
authSession = ASWebAuthenticationSession(url: url, callbackURLScheme: callbackScheme)
{ (callbackURL, error) in
guard error == nil, let successURL = callbackURL else { return }
let code = NSURLComponents(string: (successURL.absoluteString))?.queryItems?.filter({ $0.name == "code" }).first
}
authSession.presentationContextProvider = self
authSession.start()
}
}
@available(iOS 12.0, *)
extension AuthView: ASWebAuthenticationPresentationContextProviding {
@available(iOS 12.0, *)
func presentationAnchor(for session: ASWebAuthenticationSession) -> ASPresentationAnchor {
return self.view.window ?? ASPresentationAnchor()
}
}
Post not yet marked as solved
Hi,
I'm currently trying to generate and store Private Key and protect this key with Local Authentication using Security framework (not CryptoKit; unfortunately, needed to support below iOS 13 still).
To be more precise, I am trying to generate Secure Enclave private key protected by local authentication (using access control with biometryAny), but I'm not able to trigger Local Authentication when retrieving the key. Secure Enclave key is successfully generated (that I confirmed), and I also confirmed that if I create a key without kSecAttrTokenID, exactly same code triggers the Local Authentication when reading the generated key.
Following is what I'm doing in my code:
// Key generation query
var query = [String: Any]()
query[String(kSecAttrKeyType)] = String(kSecAttrKeyTypeEC)
query[String(kSecAttrKeySizeInBits)] = 256
query[String(kSecAttrAccessGroup)] = "accessGroup"
query[String(kSecAttrTokenID)] = String(kSecAttrTokenIDSecureEnclave)
// Key Attributes
var keyAttr = [String: Any]()
keyAttr[String(kSecAttrIsPermanent)] = true
keyAttr[String(kSecAttrApplicationTag)] = "applicationTag"
let accessControl = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, .biometryAny, nil)!
keyAttr[String(kSecAttrAccessControl)] = accessControl
query[String(kSecPrivateKeyAttrs)] = keyAttr
// Generate Key
var error: Unmanaged<CFError>?
let privateKey = SecKeyCreateRandomKey(query as CFDictionary, &error)
If I remove "query[String(kSecAttrTokenID)] = String(kSecAttrTokenIDSecureEnclave)" this line of code which basically tells the system to generate the key using Secure Enclave, when retrieving the generated key, it triggers the Local Authentication, but with that Secure Enclave flag, Local Authentication is never triggered.
Is it not triggering the local authentication because the Secure Enclave key already protected with same level of security? or am I missing something here?
By the way, I tried with .userPresence and .biometryCurrentSet for Secure Enclave, but still had no luck.. :(
Any advice would be greatly appreciated.
Thanks,
In our app we're performing authentication using ASWebAuthenticationSession. SSO seems to work fine in iOS 13 for different paths for the same domain but when running the same app in iOS 14, cookies don't seem to be attached to subsequent requests once authenticated in safari window.
I'm not sure if it helps :
Looking at the logging in instruments when running the app in iOS 14 device, I can see :
00:09.690.903 Default iOS B2c Sample (1691) CFNetwork Default iOS B2c Sample 0x1631f Faulting in NSHTTPCookieStorage singleton
00:09.690.929 Default iOS B2c Sample (1691) CFNetwork Default iOS B2c Sample 0x1631f Faulting in CFHTTPCookieStorage singleton
00:09.690.944 Default iOS B2c Sample (1691) CFNetwork Default iOS B2c Sample 0x1631f Creating default cookie storage with default identifier
(Above logs don't happen in iOS 13)
and later in iOS 14:
00:10.113.701 Debug iOS B2c Sample (1691) CFNetwork Default iOS B2c Sample 0x1631c Task <88E60E41-6B7B-4787-ABF6-B65C92C8FF4E>.<1> request https://testb2c.b2clogin.com/testb2c.onmicrosoft.com/b2c_1_susi/oauth2/v2.0/token is NOT allowed to set HSTS for main doc
In iOS 13 :
00:15.570.171 Debug iOSB2C (5320) CFNetwork Default iOSB2C 0x24045d Task <79A2078B-718D-4D4D-A46D-1FF1B2238431>.<6> request n/a is NOT allowed to set HSTS for main doc
00:23.139.303 Debug iOSB2C (5320) CFNetwork Default iOSB2C 0x24045d Task <88D45825-FB1E-4C38-8EFF-87A8528B61E3>.<7> request n/a is NOT allowed to set HSTS for main doc
Has anyone noticed similar issue with ASWebAuthenticationSession?
Our UI Tests require interaction with physical devices. There is a Flask server on Raspberry Pi in our local network which is able to interact with those devices. From within XCTestCase we send request to this server and server does its job. Everything works on iOS13, but on iOS14 there is always an error that there is no internet connection -1009.
Application's and Test's info.plist has: App Transport Security Settings:
Allow Arbitrary Loads: True
Allows Local Networking: True Privacy - Local Network Usage Description
I suspect this is something with 'Local Network Premission' but setting its description in does not solve the problem.
Thanks
Post not yet marked as solved
Please help me secure my never ending nightmare...
Post not yet marked as solved
Anyone had issues with running scripts on Big Sur? I get a command not found error and I’m guessing its a toggle or a command or a back age that needs to be added to enable it or its blocked by default for security reasons?
Hi! I'm having issue with decrypting Data when the app is in background and iPhone gets Locked by the user. The app works as expected when it's in background and the iPhone is NOT Locked.
I'm getting the following error:
Unmanaged<CFErrorRef>(_value: Error Domain=NSOSStatusErrorDomain Code=-25308 "setoken: unable to compute shared secret" UserInfo={NSLocalizedDescription=setoken: unable to compute shared secret, AKSError=-536870174})
Here is the code I use to decrypt:
let decryptedData = SecKeyCreateDecryptedData(
try privateSecKey(),
.eciesEncryptionStandardVariableIVX963SHA256AESGCM,
data as CFData,
&error) as Data?
and encryption code is:
let encryptedData = SecKeyCreateEncryptedData(
key,
.eciesEncryptionCofactorVariableIVX963SHA256AESGCM,
data as CFData,
&error) as Data?
Query private key for descryption:
let query: [String: Any] = [
kSecClass as String: kSecClassKey,
kSecAttrApplicationTag as String: tag,
kSecAttrKeyType as String: kSecAttrKeyTypeEC,
kSecReturnRef as String: true
]
var item: CFTypeRef?
let status = SecItemCopyMatching(query as CFDictionary, &item)
and I create key using
let access = try SecAccessControlCreateWithFlags(
kCFAllocatorDefault,
// Since the app is using the key in the app background status (for example during
// BLE communication), we need a less strict access level.
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
.privateKeyUsage,
nil).unwrap()
let tag = try Constants.privateKeyName.data(using: .utf8).unwrap()
let attributes: [String: Any] = [
kSecAttrKeyType as String: kSecAttrKeyTypeEC,
kSecAttrKeySizeInBits as String: 256,
kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave,
kSecPrivateKeyAttrs as String: [
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: tag,
kSecAttrAccessControl as String: access
]
]
var error: Unmanaged<CFError>?
guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else {
let err = try error.unwrap()
throw err.takeRetainedValue() as Error
}
The code is compiled as expected and runs normally in foreground and background when iPhone is NOT Locked as mentioned.
Based on my research, the issue could be due to kSecAttrAccessControl, but I clearly set it to kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly and the iPhone I test with is Unlocked before I run the test case.
It looks as OS bug to me, but I might be missing something here.
The test device is iPhone XS MAX.
I would appreciate any help. Thanks!
Post not yet marked as solved
I’m trying to implement web credentials sharing on macOS 11.0.
According to documentation:
1) added associated domain file to website and now it’s available at location https://my.website/.well-known/apple-app-site-association (my.website is just and example here)
2) added Associated Domains entitlement to my macOS app with value webcredentials:my.website
Problems: when using SecAddSharedWebCredential func get callback error:
Error Domain=NSOSStatusErrorDomain Code=-4 "SecAddSharedWebCredentialSync not supported on this platform" (kCFMessagePortTransportError / kCSIdentityDeletedErr / unimpErr: / / unimplemented core routine) UserInfo={numberOfErrorsDeep=0, NSDescription=SecAddSharedWebCredentialSync not supported on this platform})
when using SecRequestSharedWebCredential func get console error and callback error (the same for ASAuthorizationController with ASAuthorizationPasswordRequest request)
Authorization failed: Error Domain=AKAuthenticationError Code=-7089
Error Domain=com.apple.AuthenticationServices.AuthorizationError Code=1000
What I’m doing wrong?
Post not yet marked as solved
Hi,
Our PC/SC IFD Handler plugin loaded and running inside of com.apple.ifdhandler system process stops working on BigSur because the TCC engine denies com.apple.ifdhandler access to bluetooth. Our IFD Handler communicates via BLE to the SmartCardReader.
Here the relevant messages from the log
AUTHREQATTRIBUTION: msgID=4121.1, attribution={responsible={identifier=com.apple.ifdreader, pid=4115, auid=0, euid=0, responsiblepath=/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader, binarypath=/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader}, requesting={identifier=com.apple.ifdbundle, pid=4121, auid=0, euid=0, binarypath=/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/XPCServices/com.apple.ifdbundle.xpc/Contents/MacOS/com.apple.ifdbundle}, },
standard 15:21:59.836608+0100 tccd AUTHREQSUBJECT: msgID=4121.1, subject=com.apple.ifdreader,
15:21:59.836956+0100 tccd Refusing TCCAccessRequest for service kTCCServiceBluetoothAlways from client Sub:{com.apple.ifdreader}Resp:{identifier=com.apple.ifdreader, pid=4115, auid=0, euid=0, responsiblepath=/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader, binary_path=/System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader} in background session
We tried to add com.apple.security.device.bluetooth entitlement to our plugin and also we added NSBluetoothAlwaysUsageDescription and NSBluetoothPeripheralUsageDescription to its Info.plist file but nothing works
Does anyone know how to allow platform binary to access bluetooth? if not, all plugins written that runs inside of platform process will not be able to access bluetooth.
Post not yet marked as solved
Hi, I have code that has been in production for over a year with no issues, encrypting a string and checking the OSStatus as follows.
let blockSize = SecKeyGetBlockSize(publickeysi!)
var messageEncrypted = [UInt8](repeating: 0, count: blockSize)
var messageEncryptedSize = blockSize
let status: OSStatus = SecKeyEncrypt(publickeysi!, SecPadding.PKCS1, impressionString!, impressionString!.count, &messageEncrypted, &messageEncryptedSize)
if status != noErr {
print("Encryption Error!")	// iPhone12 gets here
}
The issue is that the latest devices seem to be returning status = noErr, whilst all previous devices have been fine. An iPhone 12 and Pro reliably return error, whilst iPhone 8, 8 Plus, XR all succeed with no error.
The output of method is still functional despite noErr, but it would be good to understand what may cause this inconsistent behaviour across devices.
Thanks
Post not yet marked as solved
When trying to log into my appstoreconnect.apple.com it prompts for "Compliance Screening" form and asks for Passport or National ID verification. Why is that? And how to get past this? See the screenshot
https://www.dropbox.com/s/5ty7swgw21a9wd1/Compliance.png?dl=1
Post not yet marked as solved
Hey devs,
I have a really weird issue and at this point I cannot determine is it a Big Sur 11.1 or M1 issue or just some macOS settings issue.
Short description
programatically (from node, electron) I'd like to store x509 cert to keychain. I got the following error message:
SecTrustSettingsSetTrustSettings: The authorization was denied since no user interaction was possible. (1) I could reproduce this issue on: a brand new mac mini with M1 chip and Big Sur 11.1
another brand new mac mini with M1 chip and Big Sur 11.1
a 2018 MacBook pro with Intel chip and Big Sur 11.1
I couldn't reproduce this issue on: 2020 MacBook pro with intel i9 chip and Big Sur 11.1
2020 MacBook pro with intel i9 chip and Big Sur 11.0
How am I trying to store the cert
node test.js
test.js
const { exec } = require('child_process')
exec(
	`osascript -e 'do shell script "security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/kotapeter/ssl/testsite.local.crt" with prompt "Test APP wants to store SSL certification to keychain." with administrator privileges'`,
	(error, stdout, stderr) => {
		if (error) {
			console.log(error.stack)
			console.log(`Error code: ${error.code}`)
			console.log(`Signal received: ${error.signal}`)
		}
		console.log(`STDOUT: ${stdout}`)
		console.log(`STDERR: ${stderr}`)
		process.exit(1)
	}
)
testsite.local.crt:
----BEGIN CERTIFICATE
MIIDUzCCAjugAwIBAgIUD9xMnL73y7fuida5TXgmklLswsowDQYJKoZIhvcNAQEL
BQAwGTEXMBUGA1UEAwwOdGVzdHNpdGUubG9jYWwwHhcNMjEwMTE3MTExODU1WhcN
NDEwMTEyMTExODU1WjAZMRcwFQYDVQQDDA50ZXN0c2l0ZS5sb2NhbDCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANM08SDi06dvnyU1A6//BeEFd8mXsOpD
QCbYEHX/Pz4jqaBYwVjD5pG7FkvDeUKZnEVyrsofjZ4Y1WAT8jxPMUi+jDlgNTiF
jPVc4rA6hcGX6b70HjsCACmc8bZd+EU7gm4b5eL6exTsVzHc+lFz4eQFXgutYTL7
guDQE/gFHwqPkLvnfg3rgY31p3Hm/snL8NuD154iE9O1WuSxEjik65uOQaewZmJ9
ejJEuuEhMA8O9dXveJ71TMV5lqA//svDxBu3zXIxMqRy2LdzfROd+guLP6ZD3jUy
cWi7GpF4yN0+rD/0aXFJVHzV6TpS9oqb14jynvn1AyVfBB9+VQVNwTsCAwEAAaOB
kjCBjzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIC9DA7BgNVHSUENDAyBggrBgEFBQcD
AQYIKwYBBQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgwHQYDVR0O
BBYEFDjAC2ObSbB59XyLW1YaD7bgY8ddMBkGA1UdEQQSMBCCDnRlc3RzaXRlLmxv
Y2FsMA0GCSqGSIb3DQEBCwUAA4IBAQBsU6OA4LrXQIZDXSIZPsDhtA7YZWzbrpqP
ceXPwBd1k9Yd9T83EdA00N6eoOWFzwnQqwqKxtYdl3x9JQ7ewhY2huH9DRtCGjiT
m/GVU/WnNm4tUTuGU4FyjSTRi8bNUxTSF5PZ0U2/vFZ0d7T43NbLQAiFSxyfC1r6
qjKQCYDL92XeU61zJxesxy5hxVNrbDpbPnCUZpx4hhL0RHgG+tZBOlBuW4eq249O
0Ql+3ShcPom4hzfh975385bfwfUT2s/ovng67IuM9bLSWWe7U+6HbOEvzMIiqK94
YYPmOC62cdhOaZIJmro6lL7eFLqlYfLU4H52ICuntBxvOx0UBExn----END CERTIFICATE
testsite.local.key:
----BEGIN RSA PRIVATE KEY
MIIEpQIBAAKCAQEA0zTxIOLTp2+fJTUDr/8F4QV3yZew6kNAJtgQdf8/PiOpoFjB
WMPmkbsWS8N5QpmcRXKuyh+NnhjVYBPyPE8xSL6MOWA1OIWM9VzisDqFwZfpvvQe
OwIAKZzxtl34RTuCbhvl4vp7FOxXMdz6UXPh5AVeC61hMvuC4NAT+AUfCo+Qu+d+
DeuBjfWnceb+ycvw24PXniIT07Va5LESOKTrm45Bp7BmYn16MkS64SEwDw711e94
nvVMxXmWoD/+y8PEG7fNcjEypHLYt3N9E536C4s/pkPeNTJxaLsakXjI3T6sP/Rp
cUlUfNXpOlL2ipvXiPKe+fUDJV8EH35VBU3BOwIDAQABAoIBAQDDGLJsiFqu3gMK
IZCIcHCDzcM7Kq43l2uY9hkuhltrERJNle70CfHgSAtubOCETtT1qdwfxUnR8mqX
15T5dMW3xpxNG7vNvD/bHrQfyc9oZuV6iJGsPEreJaV5qg/+E9yFzatrIam0SCS7
YL6xovPU58hZzQxuRbo95LetcT2dSBY33+ttY7ayV/Lx7k6nh0xU6RmTPHyyr8m7
yHpoJoSxdT/xv5iBSZ8mM9/2Vzhr14SWipVuwVVhDSfbn8ngHpIoQDkaJLMpWr+m
4z3PqfftAwR6s6i96HnhYLnRir618TQh4B9IEngeEwCMn4XAzE3L+VTaKU1hg9el
aMfXzPERAoGBAPa+sJ2p9eQsv0vCUUL8KeRWvwjDZRTd+YAIfpLMWrb0tMmrBM4V
V0L2joF76kdDxt1SAlHoYCT/3Rn8EPmK0TN3MEskiXQ7v57iv+LZOZcpe0ppG/4A
ZihF9+wUjFCDw4ymnRQD463535O6BgZV+rcZksFRD2AwvEjt1nYm93VXAoGBANsh
AYM+FPmMnzebUMB0oGIkNkE9nVb9MPbQYZjEeOeHJqmt1Nl6xLuYBWTmWwCy7J4e
QPtnuMCdO6C1kuOGjQPBFIpeyFMzll+E3hKzicumgCpt5U8nTZoKc/jZckRD7n3p
lbYYgHOR3A/3GCDK5L3rwziWpSRAGMSCQylvkOC9AoGBAKLfZL3t/r3LO8rKTdGl
mhF7oUYrlIGdtJ/q+4HzGr5B8URdeyJ9u8gb8B1Qqmi4OIDHLXjbpvtFWbFZTesq
0sTiHCK9z23GMsqyam9XbEh3vUZ082FK6iQTa3+OYMCU+XPSV0Vq+9NPaWGeHXP5
NTG/07t/wmKASQjq1fHP7vCpAoGBAK4254T4bqSYcF09Vk4savab46aq3dSzJ6KS
uYVDbvxkLxDn6zmcqZybmG5H1kIP/p8XXoKCTBiW6Tk0IrxR1PsPHs2D3bCIax01
/XjQ1NTcYzlYdd8gWEoH1XwbJQWxHINummBTyowXguYOhVhM9t8n+eWbn1/atdZF
2i+vS3fhAoGAYKw6rkJfTSEswgBKlQFJImxVA+bgKsEwUti1aBaIA2vyIYWDeV10
G8hlUDlxvVkfwCJoy5zz6joGGO/REhqOkMbFRPseA50u2NQVuK5C+avUXdcILJHN
zp0nC5eZpP1TC++uCboJxo5TIdbLL7GRwQfffgALRBpK12Vijs195cc=----END RSA PRIVATE KEY
What I've already found
If I run the following command from terminal It asks my password first in terminal and after that It asks my password again in OS password prompt.
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /Users/kotapeter/ssl/testsite.local.crt
It looks like I'm getting the above error message because osascript hides the second password asking dialog.
The cert always gets stored in keychain but when I get the error message the cert "Trust" value is not "Always Trust".
References
StackOverflow question: https://stackoverflow.com/questions/65699160/electron-import-x509-cert-to-local-keychain-macos-the-authorization-was-deni
opened issue on sudo-prompt electron package: https://github.com/jorangreef/sudo-prompt/issues/137
