Creating new keychain for mac os app

Is there another way to create keychain using Swift …?

No.

To understand what’s going on here you need to understand that macOS supports two different keychain implementations:

• The original file-based keychain

• The iOS-style data protection keychain

While the file-based keychain is not officially deprecated, we definitely recommend that you favour the data protection keychain because many new features are only available there (for example, integration with the Secure Enclave).

One tricky aspect of this is that the SecItem API supports both keychain implementations [1] so we can’t just deprecate that API. However, we can deprecate the routines that only work with the file-based keychain, and that’s what we’ve done with SecKeychainCreate.

So, the question is “Why are you using SecKeychainCreate?”, because the answer to that will inform your next move.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Based on whether you pass in the kSecUseDataProtectionKeychain (or the older kSecAttrSynchronizable) attribute.

Thanks for the response.

kSecUseDataProtectionKeychain only available above mac OS 10.15+. I plan to implement in lower version too.

What i really need is a separate keychain which is accessible to my app only (unlocked by password provided while creating keychain). Suppose i create a keychain with security command, am i able to use that keychain with Keychain API?

I don't want to store in login keychain as it is not accessible for all user. I need a keychain which can be accessed throughout all users, like System keychian. Can I create a keychain in /Library/Keychains ? Help if this is possible.

I plan to implement in lower version too.

You can use kSecAttrSynchronizable to access the data protection keychain all the way back to macOS 10.9, albeit with some caveats. I’m happy to dig into that if necessary, but…

Suppose i create a keychain with security command, am i able to use that keychain with Keychain API?

I presume you’re referring to the create-keychain subcommand here. If so, that’ll create a keychain file. To access this you must either add that keychain to your keychain search list or use one of the deprecated file-based keychain APIs to open the keychain so that you can target it using kSecMatchSearchList.

I need a keychain which can be accessed throughout all users

Please clarify this requirement. Is this keychain going to be accessed by a single process, like a daemon, that all users can use via IPC? Or do you expect all users to be able to access the keychain directly via keychain APIs?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I need a keychain which can be accessed throughout all users

What i meant is, items added in my keychain should be accessible from any user. If i add items in login keychain this is not possible, right?

I finally decided to go with security command line tool .

Thanks for the response.

What i meant is, items added in my keychain should be accessible from any user. If i add items in login keychain this is not possible, right?

Correct.

Read-only accessible? Or read-write accessible?

I finally decided to go with security command line tool.

I wouldn’t recommend that over the deprecated SecKeychainCreate API; they both rest on the same underlying foundation.

Can you walk me through how this is going to work in practice? The keychain is all about protecting secrets. Where does this secret come from? Who gets the secret and puts it into the keychain? Who reads the secret? And for what purpose?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

My reason for using SecKeychainCreate/Delete is for testing purposes- I want to test my keychain code without affecting my actual keychain, so I create a temporary one for the duration of the test.

Did you find a solution to this by any chance without the need to use the CLI tool?