I have an app distributed outside the AppStore for two years that creates a key pair in the secure enclave, which doesn't work in macOS Monterey 12.0 beta 6 for both Intel and M1.
I've created a sample app that has works on Intel Big Sur.
let access =
SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
.privateKeyUsage,
nil)! // Ignore error
let tag = "com.mycompany.MyApp".data(using: .utf8)!
let handle = "myKey"
let attributes: [String: Any] = [
kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom,
kSecAttrKeySizeInBits as String: 256,
kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave,
kSecAttrLabel as String: handle,
kSecAttrIsPermanent as String: true,
kSecAttrApplicationTag as String: tag,
kSecPrivateKeyAttrs as String: [
kSecAttrAccessControl as String: access
]
]
var error: Unmanaged<CFError>?
if let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) {
return true
} else {
let err = error!.takeRetainedValue() as Error
print("\(err.localizedDescription)")
return false
}
Error is:
The operation couldn’t be completed. (OSStatus error -25300 - failed to generate asymmetric keypair)
Code is based on: https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave
MyApp's entitlements:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>XXXXXXXXXXX.com.mycompany.MyApp</string>
<key>com.apple.developer.team-identifier</key>
<string>XXXXXXXXXXX</string>
<key>com.apple.security.app-sandbox</key>
<false/>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>XXXXXXXXXXX.com.mycompany.macos</string>
</array>
</dict>
</plist>
