iOS mTLS Client Certificate Authentication Fails in TestFlight with Error -25303 Problem I'm building an iOS app that uses mTLS (client certificates received from server at runtime). Storing SecCertificate to keychain fails with error -25303 in both development and TestFlight builds, preventing SecIdentity creation needed for URLSession authentication. Environment: iOS 18.2, iPad Pro, TestFlight internal testing, keychain-access-groups properly configured Diagnostic Results Testing keychain operations shows an interesting pattern: ✅ Generic Password - Works: let addQuery: [CFString: Any] = [ kSecClass: kSecClassGenericPassword, kSecAttrAccount: "test", kSecValueData: "password".data(using: .utf8)! ] SecItemAdd(addQuery as CFDictionary, nil) // Returns: 0 (success) ✅ SecKey - Works: let addKeyQuery: [CFString: Any] = [ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tag ] SecItemAdd(addKeyQuery as CFDictionary, nil) // Returns: 0 (success) ❌ SecCertificate - Fails: let addCertQuery: [CFString: Any] = [ kSecClass: kSecClassCertificate, kSecValueRef: certificate, // Created from server-provided PEM kSecAttrApplicationTag: tag ] SecItemAdd(addCertQuery as CFDictionary, nil) // Returns: -25303 Code Context Attempting to create SecIdentity for mTLS: private func createIdentity(fromCert certPEM: String, key keyPEM: String) throws -> SecIdentity { // 1. Parse PEM to DER and create SecCertificate - succeeds guard let certData = extractPEMData(from: certPEM, type: "CERTIFICATE"), let certificate = SecCertificateCreateWithData(nil, certData as CFData) else { throw CertificateError.invalidCertificate } // 2. Parse PEM key and create SecKey - succeeds guard let keyData = extractPEMData(from: keyPEM, type: "PRIVATE KEY"), let privateKey = SecKeyCreateWithData(keyData as CFData, attrs as CFDictionary, &error) else { throw CertificateError.invalidKey } // 3. Add key to keychain - SUCCEEDS (errSecSuccess) let tempTag = UUID().uuidString.data(using: .utf8)! SecItemAdd([ kSecClass: kSecClassKey, kSecValueRef: privateKey, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ✅ Works // 4. Add certificate to keychain - FAILS (-25303) let status = SecItemAdd([ kSecClass: kSecClassCertificate, kSecValueRef: certificate, kSecAttrApplicationTag: tempTag ] as CFDictionary, nil) // ❌ Fails with -25303 guard status == errSecSuccess else { throw CertificateError.keychainError(status) } // 5. Would query for SecIdentity (never reached) // ... } Network Behavior When mTLS fails, console shows: Connection: asked for TLS Client Certificates Connection: received response for client certificates (-1 elements) Connection: providing TLS Client Identity (-1 elements) Task received response, status 403 The -1 elements indicates no certificates were provided. Entitlements <key>keychain-access-groups</key> <array> <string>$(AppIdentifierPrefix)com.ellin.tshios</string> </array> Keychain Sharing capability is enabled. What I've Tried Both kSecValueRef and kSecValueData approaches - same error Various kSecAttrAccessible values - same error Different keychain access groups - same error TestFlight build (vs dev build) - same error PKCS#12 creation - requires complex ASN.1/DER encoding, no iOS API Questions Is error -25303 expected when adding SecCertificate in development/TestFlight builds? Will App Store distribution resolve this? Or is there a fundamental limitation? Why does SecKey succeed but SecCertificate fails with identical entitlements? Is there an alternative to create SecIdentity without keychain access? Constraints Certificates come from server at runtime (cannot bundle) Need SecIdentity for URLSession client certificate authentication Server provides PEM format certificates Tested on: Simulator (dev), iPad Pro (dev), iPad Pro (TestFlight) - all fail Any insights appreciated - specifically whether this is a provisioning profile limitation that App Store distribution would resolve.

Hi, After enabling the new Enhanced Security capability in Xcode 26, I’m seeing install failures on devices running < iOS 26. Deployment target: iOS 15.0 Capability: Enhanced Security (added via Signing & Capabilities tab) Building to iOS 18 device error - Unable to Install ...Please ensure sure that your app is signed by a valid provisioning profile. It works fine on iOS 26 devices. I’d like to confirm Apple’s intent here: Is this capability formally supported only on iOS 26 and later, and therefore incompatible with earlier OS versions? Or should older systems ignore the entitlement, meaning this behavior might be a bug?

(Xcode 26.2, iPhone 17 Pro) I can't seem to get hardware tag checks to work in an app launched without the special "Hardware Memory Tagging" diagnostics. In other words, I have been unable to reproduce the crash example at 6:40 in Apple's video "Secure your app with Memory Integrity Enforcement". When I write a heap overflow or a UAF, it is picked up perfectly provided I enable the "Hardware Memory Tagging" feature under Scheme Diagnostics. If I instead add the Enhanced Security capability with the memory-tagging related entitlements: I'm seeing distinct memory tags being assigned in pointers returned by malloc (without the capability, this is not the case) Tag mismatches are not being caught or enforced, regardless of soft mode The behaviour is the same whether I launch from Xcode without "Hardware Memory Tagging", or if I launch the app by tapping it on launchpad. In case it was related to debug builds, I also tried creating an ad hoc IPA and it didn't make any difference. I realise there's a wrinkle here that the debugger sets MallocTagAll=1, so possibly it will pick up a wider range of issues. However I would have expected that a straight UAF would be caught. For example, this test code demonstrates that tagging is active but it doesn't crash: #define PTR_TAG(p) ((unsigned)(((uintptr_t)(p) >> 56) & 0xF)) void *p1 = malloc(32); void *p2 = malloc(32); void *p3 = malloc(32); os_log(OS_LOG_DEFAULT, "p1 = %p (tag: %u)\n", p1, PTR_TAG(p1)); os_log(OS_LOG_DEFAULT, "p2 = %p (tag: %u)\n", p2, PTR_TAG(p2)); os_log(OS_LOG_DEFAULT, "p3 = %p (tag: %u)\n", p3, PTR_TAG(p3)); free(p2); void *p2_realloc = malloc(32); os_log(OS_LOG_DEFAULT, "p2 after free+malloc = %p (tag: %u)\n", p2_realloc, PTR_TAG(p2_realloc)); // Is p2_realloc the same address as p2 but different tag? os_log(OS_LOG_DEFAULT, "Same address? %s\n", ((uintptr_t)p2 & 0x00FFFFFFFFFFFFFF) == ((uintptr_t)p2_realloc & 0x00FFFFFFFFFFFFFF) ? "YES" : "NO"); // Now try to use the OLD pointer p2 os_log(OS_LOG_DEFAULT, "Attempting use-after-free via old pointer p2...\n"); volatile char c = *(volatile char *)p2; // Should this crash? os_log(OS_LOG_DEFAULT, "Read succeeded! Value: %d\n", c); Example output: p1 = 0xf00000b71019660 (tag: 15) p2 = 0x200000b711958c0 (tag: 2) p3 = 0x300000b711958e0 (tag: 3) p2 after free+malloc = 0x700000b71019680 (tag: 7) Same address? NO Attempting use-after-free via old pointer p2... Read succeeded! Value: -55 For reference, these are my entitlements. [Dict] [Key] application-identifier [Value] [String] … [Key] com.apple.developer.team-identifier [Value] [String] … [Key] com.apple.security.hardened-process [Value] [Bool] true [Key] com.apple.security.hardened-process.checked-allocations [Value] [Bool] true [Key] com.apple.security.hardened-process.checked-allocations.enable-pure-data [Value] [Bool] true [Key] com.apple.security.hardened-process.dyld-ro [Value] [Bool] true [Key] com.apple.security.hardened-process.enhanced-security-version [Value] [Int] 1 [Key] com.apple.security.hardened-process.hardened-heap [Value] [Bool] true [Key] com.apple.security.hardened-process.platform-restrictions [Value] [Int] 2 [Key] get-task-allow [Value] [Bool] true What do I need to do to make Memory Integrity Enforcement do something outside the debugger?

Our Goal: We are implementing a workflow for derived credentials. Our objective is to have a PIV/CAC derived credential (from Entrust), installed via the Intune MDM Company Portal app, and then use it within our (managed) app to generate digital signatures. Challenge: The Intune Company Portal installs these identities into the System Keychain. Because third-party apps are restricted from accessing private keys in the System Keychain, we are running into a roadblock. Our Question: 1) Is there an API that allows us to create a signature without us having to pass the private key itself, but instead just pass a handle/some reference to the private key and then the API can access the private key in the system keychain and create the signature under the hood. SecKeyCreateSignature is the API method that creates a signature but requires passing a private key. 2) If #1 is not feasible, is there a way to get access to system keychain to retrieve certs + private key for managed apps

Hi, I’m seeing a production issue on iOS 26+ that only affects some users. symptoms: It does NOT happen for all users. It happens for a subset of users on iOS 26+. If we write a value to Keychain and read it immediately in the same session, it succeeds. However, after terminating the app and relaunching, the value appears to be gone: SecItemCopyMatching returns errSecItemNotFound (-25300). Repro (as observed on affected devices): Launch app (iOS 26+). Save PIN data to Keychain using SecItemAdd (GenericPassword). Immediately read it using SecItemCopyMatching -> success. Terminate the app (swipe up / kill). Relaunch the app and read again using the same service -> returns -25300. Expected: The Keychain item should persist across app relaunch and remain readable (while the device is unlocked). Actual: After app relaunch, SecItemCopyMatching returns errSecItemNotFound (-25300) as if the item does not exist. Implementation details (ObjC): We store a “PIN” item like this (simplified): addItem: kSecClass: kSecClassGenericPassword kSecAttrService: <FIXED_STRING> kSecValueData: kSecAttrAccessControl: SecAccessControlCreateWithFlags(..., kSecAttrAccessibleWhenUnlockedThisDeviceOnly, 0, ...) readItem (SecItemCopyMatching): kSecClass: kSecClassGenericPassword kSecAttrService: <FIXED_STRING> kSecReturnData: YES (uses kSecUseOperationPrompt in our async method) Question: On iOS 26+, is there any known issue or new behavior where a successfully added GenericPassword item could later return errSecItemNotFound after app termination/relaunch for only some users/devices? What should we check to distinguish: OS behavior change/bug vs. entitlement/access-group differences (app vs extension, provisioning/team changes), device state/policies (MDM, passcode/biometrics changes), query attributes we should include to make the item stable across relaunch? Build / Dev Environment: macOS: 15.6.1 (24G90) Xcode: 26.2

I'm trying to authenticate to a git host using SSH keys stored in 1Password. I have ~/.ssh/config with mode 600 set with a symlink: Host * IdentityAgent "~/.1password/agent.sock" But ssh-add -l shows no identities. If I set $SSH_AUTH_SOCK, ssh-add -l works just fine. I'd love to not have to do this, though. Why doesn't ssh-add seem to read ~/.ssh/config? The built-in version is OpenSSH_10.0p2, LibreSSL 3.3.6. I've searched fruitlessly for an answer anywhere else.

Apple has repeatedly ignored my reports about a critical privacy issue in Spotlight on macOS 26, and the problem persists in version 26.3 RC. This is not a minor glitch, it is a fundamental breach of user trust and privacy. Several aspects of Spotlight fail to respect user settings: • Hidden apps still exposed: In the Apps section (Cmd+1), Spotlight continues to display apps marked with the hidden flag, even though they should remain invisible. • Clipboard reactivation: The clipboard feature repeatedly turns itself back on after logout or restart, despite being explicitly disabled by the user. • Excluded files revealed: Most concerning, Spotlight exposes files in Suggestions and Recents (Cmd+3) even when those files are explicitly excluded under System Settings > Spotlight > Search Privacy. This behavior directly violates user expectations and system settings. It is not only a major privacy issue but also a security risk, since sensitive files can be surfaced without consent. Apple must address this immediately. Users rely on Spotlight to respect their privacy configurations, and the current behavior undermines both trust and security.

App is repeatedly rejected under Guideline 2.5.1 for referencing the private API:_SecCertificateIsValid Reported custom framework CommonLibrary.framework. The SDK is written in Objective-C and uses only public Security APIs. It does not use any deprecated APIs. We have verified the framework binary using nm, otool, and strings, and _SecCertificateIsValid does not appear in exported or hidden symbols. Bitcode is disabled, dead-code stripping is enabled, and the Release build uses -Os. Despite this, App Store Connect continues to detect _SecCertificateIsValid. We have attached herewith screenshots of our analysis for the reference. Can Apple’s server-side analysis or Security.framework internals still surface _SecCertificateIsValid? Is there a recommended way for SDK authors to prevent this symbol from being flagged?

We are trying to implement a custom encryption scheme for our Core ML models. Our goal is to bundle encrypted models, decrypt them into memory at runtime, and instantiate the MLModel without the unencrypted model file ever touching the disk. We have looked into the native apple encryption described here https://developer.apple.com/documentation/coreml/encrypting-a-model-in-your-app but it has limitations like not working on intel macs, without SIP, and doesn’t work loading from dylib. It seems like most of the Core ML APIs require a file path, there is MLModelAsset APIs but I think they just write a modelc back to disk when compiling but can’t find any information confirming that (also concerned that this seems to be an older API, and means we need to compile at runtime). I am aware that the native encryption will be much more secure but would like not to have the models in readable text on disk. Does anyone know if this is possible or any alternatives to try to obfuscate the Core ML models, thanks

Hello there, We’re currently integrating Apple Wallet pass functionality into our application and am looking for clarification around the automatic update flow. Particularly regarding secure management of the authenticationToken. We’ve reviewed the documentation here: Adding a Web Service to Update Passes authenticationToken Documentation From our understanding: When a user downloads a pass from our service, the .pkpass includes both a webServiceURL and an authenticationToken. Once the pass is added to Wallet, the Wallet app makes authenticated requests to our webServiceURL, using the token in the Authorization header. We then validate this token server-side to serve updates or handle device registration. So far, this flow is clear. However, we’re looking for clarification on two key scenarios: If a user adds the same pass twice on the same device, should the authenticationToken remain the same in both cases? If the same user adds the same pass on a different device, should the authenticationToken also remain consistent across devices? If the answer to both is “yes,” we assume that our backend must store the original authenticationToken in a retrievable form (not just as a hash) to regenerate the same pass for re-download or multi-device sync. Our main question is: What is Apple’s recommended or acceptable approach to storing authenticationToken values securely on the backend? Should these tokens be: Stored in plaintext (e.g. in a protected DB field)? Encrypted using a symmetric key? Hashed (not reversible, but limits reuse)? We want to ensure we align with Apple’s best practices for Wallet security and token management, especially in contexts where the same pass may be installed on multiple devices or reissued later.

As part of iOS 26, we get X25519MLKEM768 key exchange group support, but SecP256r1MLKEM768 and SecP384r1MLKEM1024 are not supported. Is there any way to enable these key exchange groups on iOS 26? We need them for WKWebView and NSURLSession. STEPS TO REPRODUCE On iOS 26, connect to the PQC server using Safari. The key exchange group is limited to X25519MLKEM768.

I've signed an app, zipped it, and uploaded it to github. When I download it on another Mac, I get "it can't be opened because it could not be verified for malware". But on that computer, I can verify it with codesign, and it appears to be correct (as far as I can tell). I can copy/paste the app from my other Mac, and that copy will run without problem. sys_policy, however, gives: Notary Ticket Missing File: ReView.app Severity: Fatal Full Error: A Notarization ticket is not stapled to this application. Type: Distribution Error This is the same for the copy that runs, and the copy that doesn't. The difference between them appears to be a quarantine xattr. I can delete this, and the app launches without incident. Is this expected? Why should a signed app be quarantined just because it's been downloaded? The whole point of paying the fee is to avoid the security obstacles...! ;-)

I am developing a remote support tool for macOS. While we have successfully implemented a Privileged Helper Tool and LaunchDaemon architecture that works within an active Aqua session, we have observed a total failure to capture the screen buffer or receive input at the macOS Login Window. Our observation of competitor software (AnyDesk, TeamViewer) shows they maintain graphical continuity through logout/restart. We are seeking the official architectural path to replicate this system-level access. Current Technical Implementation Architecture: A root-level LaunchDaemon manages the persistent network connection. A PrivilegedHelperTool (installed in /Library/PrivilegedHelperTools/) is used for elevated tasks. Environment: Tested on macOS 14.x (Sonoma) and macOS 15.x (Sequoia) on Apple Silicon. Capture Methods: We have implemented ScreenCaptureKit (SCK) as the primary engine and CGDisplayCreateImage as a fallback. Binary Status: All components are signed with a Developer ID and have been successfully Notarized. Observed Behavior & Blockers The "Aqua" Success: Within a logged-in user session, our CGI correctly identifies Display IDs and initializes the capture stream. Remote control is fully functional. The "Pre-Login" Failure: When the Mac is at the Login Window (no user logged in), the following occurs: The Daemon remains active, but the screen capture buffer returns NULL or an empty frame. ScreenCaptureKit fails to initialize, citing a lack of graphical context. No TCC (Transparency, Consent, and Control) prompt can appear because no user session exists. The "Bootstrap" Observation: We have identified that the loginwindow process exists in a restricted Mach bootstrap namespace that our Daemon (running in the System domain) cannot natively bridge. Comparative Analysis (Competitor Benchmarking) We have analyzed established remote desktop solutions like AnyDesk and Jump Desktop to understand their success at the login screen. Our findings suggest: Dual-Context Execution: They appear to use a Global LaunchAgent with LimitLoadToSessionType = ["LoginWindow"]. This allows a child process to run as root inside the login window’s graphical domain. Specialized Entitlements: These apps have migrated to the com.apple.developer.persistent-content-capture entitlement. This restricted capability allows them to bypass the weekly/monthly TCC re-authorization prompts and function in unattended scenarios where a user cannot click "Allow." Questions Entitlement Requirement: Is the persistent-content-capture entitlement the only supported way for a third-party app to capture the LoginWindow buffer without manual user intervention? LaunchAgent Strategy: To gain a graphical context at the login screen, is it recommended to load a specialized agent into the loginwindow domain via launchctl bootstrap loginwindow ...? ScreenCaptureKit vs. Legacy: Does ScreenCaptureKit officially support the LoginWindow session, or does it require an active Aqua session to initialize? MDM Bypass: For Enterprise environments, can a Privacy Preferences Policy Control (PPPC) payload grant "Screen Recording" to a non-entitled Daemon specifically for the login window context?

We are using a java program as an installer for a software suite. This program is bundled inside a signed and notarized Mac app, but it uses the system installed Java (from env). For installing software, it requires the App Management permission (currently under System Settings › Privacy & Security › App Management). Since the program runs via the system provided Java executable, that one is the executable, that needs said permission. In the past, it was possible to add java to said permissions list. With macOS 26.2 it is no longer possible. I think, this change happened with 26.2. It was definitely still working with macOS 15 (I can reproduce it there), and I am confident, that it also still worked under 26.1. In Console.app I can see errors like this one /AppleInternal/Library/BuildRoots/4~CCKzugBjdyGA3WHu9ip90KmiFMk4I5oJfOTbSBk/Library/Caches/com.apple.xbs/Sources/SecurityPref/Extension/Privacy/TCC+PrivacyServicesProvider.swift:227 add(record:to:) No bundle or no bundle ID found for record TCCRecord(identifier: "/opt/homebrew/Cellar/sdkman-cli/5.19.0/libexec/candidates/java/11.0.29-tem/bin/rmic", identifierType: SecurityPrivacyExtension.TCCIdentifierType.path, access: SecurityPrivacyExtension.TCCAccess.full, managed: false, allowStandardUserToSetSystemService: false, subjectIdentityBundleIdentifier: nil, indirectObjectIdentityBundleIdentifier: nil, indirectObjectIdentityFileProviderIdentifier: nil, tccAuthorization: <OS_tcc_authorization_record: 0xa97d0ba80>) This is reproducible for various different Java installations. I can also not add Java to the other permissions that I tried. Since Java is not installed in a bundled app but instead as a UNIX executable in a bin-folder, the error No bundle or no bundle ID found for record makes sense. I expect this to also affect other use cases where programs are provided as UNIX executables such as Python or C-Compilers like g++. While it is possible to bundle an entire JRE inside each app, we intentionally chose not to as this massively increases app size. If this issue is not resolved or a workaround can be found, this is the only option that remains for us. I am however worried that there are other use cases where this is not an option.

Hi everyone, I'm working on an app that stores multiple secrets in the Keychain, each protected with .userPresence. My goal is to authenticate the user once via FaceID/TouchID and then read multiple Keychain items without triggering subsequent prompts. I am reusing the same LAContext instance for these operations, and I have set: context.touchIDAuthenticationAllowableReuseDuration = LATouchIDAuthenticationMaximumAllowableReuseDuration However, I'm observing that every single SecItemCopyMatching call triggers a new FaceID/TouchID prompt, even if they happen within seconds of each other using the exact same context. Here is a simplified flow of what I'm doing: Create a LAContext. Set touchIDAuthenticationAllowableReuseDuration to max. Perform a query (SecItemCopyMatching) for Item A, passing [kSecUseAuthenticationContext: context]. Result: System prompts for FaceID. Success. Immediately perform a query (SecItemCopyMatching) for Item B, passing the same [kSecUseAuthenticationContext: context]. Result: System prompts for FaceID again. My question is: Does the .userPresence access control flag inherently force a new user interaction for every Keychain access, regardless of the LAContext reuse duration? Is allowableReuseDuration only applicable for LAContext.evaluatePolicy calls and not for SecItem queries? If so, is there a recommended pattern for "unlocking" a group of Keychain items with a single biometric prompt? Environment: iOS 17+, Swift. Thanks!

So I'm aware that Apple can designate a folder as a "data vault", and access to that folder is limited to applications that have a specific entitlement. I was wondering if there was an equivalent (or the same, I'm not fussy :) feature available to third parties, even if only during the app-store submission ? To avoid the X-Y problem, what I want to do is have a launch agent with access to a SQLite database, and I want only that launch agent to have access. Any reads of the database will have to be done through an XPC call from the main user-facing application. I want to store private data into that database, and I don't want there to be any way for any other application to read it. If there's a way to do that without data-vaults I'm all ears :) I'm not sure if this is really the right place, perhaps the core-os forum would be better, but since the Apple solution is gate-kept by entitlements, I thought I'd start here :)

Hello, A customer has requested the development of a home assistance app to be published on the App Store. The app will connect to a server running locally at the end user's home, for example on a Raspberry Pi. Users would enter the IP address or hostname of their personal server into the app. A strict requirement is that, for data protection reasons, there must not be any proxy server. The app should only communicate directly with the local server (e.g., Raspberry Pi). We are able to solve technical challenges such as DNS, dynamic IP, and port forwarding, router configuration. However, I'm concerned about Apple's requirement that the endpoint – in this case, the Raspberry Pi at the user's home – must not use self-signed SSL certificates. While it may be technically possible to secure the home server with a certificate provider like Let's Encrypt, it is unrealistic to expect a typical user with no technical training to accomplish this setup independently. Is there a recommended solution to this problem, particularly in the context of IoT devices and apps? Any advice or experiences would be deeply appreciated.

I'm trying to export and re-import a P-256 private key that was originally generated via SecKeyCreateRandomKey(), but I keep running into roadblocks. The key is simply exported via SecItemExport() with format formatWrappedPKCS8, and I did set a password just to be sure. Do note that I must use the file-based keychain, as the data protection keychain requires a restricted entitlement and I'm not going to pay a yearly fee just to securely store some private keys for a personal project. The 7-day limit for unsigned/self-signed binaries isn't feasible either. Here's pretty much everything I could think of trying: Simply using SecItemImport() does import the key, but I cannot set kSecAttrLabel and more importantly: kSecAttrApplicationTag. There just isn't any way to pass these attributes upfront, so it's always imported as Imported Private Key with an empty comment. Keys don't support many attributes to begin with and I need something that's unique to my program but shared across all the relevant key entries, otherwise it's impossible to query for only my program's keys. kSecAttrLabel is already used for something else and is always unique, which really only leaves kSecAttrApplicationTag. I've already accepted that this can be changed via Keychain Access, as this attribute should end up as the entry's comment. At least, that's how it works with SecKeyCreateRandomKey() and SecItemCopyMatching(). I'm trying to get that same behaviour for imports. Running SecItemUpdate() afterwards to set these 2 attributes doesn't work either, as now the kSecAttrApplicationTag is suddenly used for the entry's label instead of the comment. Even setting kSecAttrComment (just to be certain) doesn't change the comment. I think kSecAttrApplicationTag might be a creation-time attribute only, and since SecItemImport() already created a SecKey I will never be able to set this. It likely falls back to updating the label because it needs to target something that is still mutable? Using SecItemImport() with a nil keychain (i.e. create a transient key), then persisting that with SecItemAdd() via kSecValueRef does allow me to set the 2 attributes, but now the ACL is lost. Or more precise: the ACL does seem to exist as any OS prompts do show the label I originally set for the ACL, but in Keychain Access it shows as Allow all applications to access this item. I'm looking to enable Confirm before allowing access and add my own program to the Always allow access by these applications list. Private keys outright being open to all programs is of course not acceptable, and I can indeed access them from other programs without any prompts. Changing the ACL via SecKeychainItemSetAccess() after SecItemAdd() doesn't seem to do anything. It apparently succeeds but nothing changes. I also reopened Keychain Access to make sure it's not a UI "caching" issue. Creating a transient key first, then getting the raw key via SecKeyCopyExternalRepresentation() and passing that to SecItemAdd() via kSecValueData results in The specified attribute does not exist. This error only disappears if I remove almost all of the attributes. I can pass only kSecValueData, kSecClass and kSecAttrApplicationTag, but then I get The specified item already exists in the keychain errors. I found a doc that explains what determines uniqueness, so here are the rest of the attributes I'm using for SecItemAdd(): kSecClass: not mentioned as part of the primary key but still required, otherwise you'll get One or more parameters passed to a function were not valid. kSecAttrLabel: needed for my use case and not part of the primary key either, but as I said this results in The specified attribute does not exist. kSecAttrApplicationLabel: The specified attribute does not exist. As I understand it this should be the SHA1 hash of the public key, passed as Data. Just omitting it would certainly be an option if the other attributes actually worked, but right now I'm passing it to try and construct a truly unique primary key. kSecAttrApplicationTag: The specified item already exists in the keychain. kSecAttrKeySizeInBits: The specified attribute does not exist. kSecAttrEffectiveKeySize: The specified attribute does not exist. kSecAttrKeyClass: The specified attribute does not exist. kSecAttrKeyType: The specified attribute does not exist. It looks like only kSecAttrApplicationTag is accepted, but still ignored for the primary key. Even entering something that is guaranteed to be unique still results in The specified item already exists in the keychain, so I think might actually be targeting literally any key. I decided to create a completely new keychain and import it there (which does succeed), but the key is completely broken. There's no Kind and Usage at the top of Keychain Access and the table view just below it shows symmetric key instead of private. The kSecAttrApplicationTag I'm passing is still being used as the label instead of the comment and there's no ACL. I can't even delete this key because Keychain Access complains that A missing value was detected. It seems like the key doesn't really contain anything unique for its primary key, so it will always match any existing key. Using SecKeyCreateWithData() and then using that key as the kSecValueRef for SecItemAdd() results in A required entitlement isn't present. I also have to add kSecUseDataProtectionKeychain: false to SecItemAdd() (even though that should already be the default) but then I get The specified item is no longer valid. It may have been deleted from the keychain. This occurs even if I decrypt the PKCS8 manually instead of via SecItemImport(), so it's at least not like it's detecting the transient key somehow. No combination of kSecAttrIsPermanent, kSecUseDataProtectionKeychain and kSecUseKeychain on either SecKeyCreateWithData() or SecItemAdd() changes anything. I also tried PKCS12 despite that it always expects an "identity" (key + cert), while I only have (and need) a private key. Exporting as formatPKCS12 and importing it with itemTypeAggregate (or itemTypeUnknown) does import the key, and now it's only missing the kSecAttrApplicationTag as the original label is automatically included in the PKCS12. The outItems parameter contains an empty list though, which sort of makes sense because I'm not importing a full "identity". I can at least target the key by kSecAttrLabel for SecItemUpdate(), but any attempt to update the comment once again changes the label so it's not really any better than before. SecPKCS12Import() doesn't even import anything at all, even though it does return errSecSuccess while also passing kSecImportExportKeychain explicitly. Is there literally no way?

Hi everyone, I’m encountering an unexpected Keychain behavior in a production environment and would like to confirm whether this is expected or if I’m missing something. In my app, I store a deviceId in the Keychain based on the classic KeychainItemWrapper implementation. I extended it by explicitly setting: kSecAttrAccessible = kSecAttrAccessibleAfterFirstUnlock My understanding is that kSecAttrAccessibleAfterFirstUnlock should allow Keychain access while the app is running in the background, as long as the device has been unlocked at least once after reboot. However, after the app went live, I observed that when the app performs background execution (e.g., triggered by background tasks / silent push), Keychain read attempts intermittently fail with: errSecInteractionNotAllowed (-25308) This seems inconsistent with the documented behavior of kSecAttrAccessibleAfterFirstUnlock. Additional context: The issue never occurs in foreground. The issue does not appear on development devices. User devices are not freshly rebooted when this happens. The Keychain item is created successfully; only background reads fail. Setting the accessibility to kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly produces the same result. Questions: Under what circumstances can kSecAttrAccessibleAfterFirstUnlock still cause a -25308 error? Is there any known restriction when accessing Keychain while the app is running in background execution contexts? Could certain system states (Low Power Mode, Background App Refresh conditions, device lock state, etc.) cause Keychain reads to be blocked unexpectedly? Any insights or similar experiences would be greatly appreciated. Thank you!

Hi Team, How do I prevent screenshots using SwiftUI. I was using this solution on UIKit: extension UIView { func makeSecure() { DispatchQueue.main.async { let protectedView = UIView() self.superview?.addSubview(protectedView) // constraints... let secureView = SecureView() self.superview?.addSubview(secureView) // constraints... secureView.addSecureSubview(self) // constraints... } } } class SecureView: UIView { private lazy var secureField: UIView = { var secureField: UIView = UIView() // ... if let secureContainer = SecureField().secureContainer { secureField = secureContainer } ... return secureField }() required init() { ... } } Is it posible to do the same thing using SwiftUI. Do we have an example? What would you recommend when we work with confidencial information in SwiftUI like bank account information? Thanks in advance!