We're developing a Mac App(non-sandboxed) needs to access an ssl client certificate in keychain. when the app first launches, there is a prompt to confirm to access keychain item. with options: always allow, allow, deny. which is fine.
when user choose always allow, the next time user launches app, the app will have the right access to use that certificate. but, when our app is update.(our app update using sparkle, it just simply replace the .app file on disk, then relaunches the app) , the updated app SOMEHOW CAN NOT ACCESS THIS CERTIFICATE, and get error -25293(errSecAuthFailed) ,
console output
Dec 10 19:21:55 userMacBook-Pro.local com.apple.SecurityServer[15]: suppressing keychain prompt for invalidly signed client /Applications/My-APP.app(42277)
Dec 10 19:21:55 userMacBook-Pro.local My-APP[42277]: CFNetwork SSLHandshake failed (-25293)
Error Domain=kCFStreamErrorDomainSSL Code=-25293
then i check that private key in keychain, the app's name is still in access control panel. finally, i reboot the system, the updated app can access this certificate again(without any promote prompt to confirm to access keychain item) and everything works fine. so, how can i keep the app keep right access to certificate after update without reboot the system? but this bug is not always shown, if the system is just boot(not running for hours), the app can update serval times and keep the right to certificate.
the app is always in access control after user click "Always Allow" enter image description here
PS, if i manually go to access control list and choose "Allow all applications to access this item, then the app will has the right access. but we can not let our user to do this operation"
after some google search, i found a similar issue on sequel-pro
https://code.google.com/p/sequel-pro/issues/detail?id=1583
Won't save passwords on 10.8 12A269
SO, how can i let my app update , and keep the right access ? I found this issue on serval 10.9.x , 10.10.x systems.