Generating key pair in System Keychain

In our macOS Application I am trying to generate a keypair in the system keychain using SecKeyCreatePair for legacy reasons, but keep receive an error -61 (Write permission error). What is the best approach to making this work or is this simply not possible (anymore)? The End User running this Application is typically an Admin and we would normally use the SFAuthorization to grab sudo for this type of issue. This is not possible using Apple Security Framework functions as far as I can see, not even the latest function SecKeyCreateRandomKey.

Replies

Only code running as root can modify the System keychain. AFAIK this isn’t a new development; it’s always been that way. You will need to escalate privileges to make this work.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Is there a way to do this programmatically? SecKeyCreateRandomKey or SecKeyCreatePair do not accept an Authorization object and running the entire application as sudo is not an option

Is there a way to do this programmatically?

Without user interaction? No, that would be a clear violation of platform security policies.

running the entire application as sudo is not an option

Indeed. The traditional approach is to isolate the code in question into a privileged helper tool and run that as a launchd daemon. The EvenBetterAuthorizationSample sample code shows one way to approach this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

  • ~~Without user interaction? No, that would be a clear violation of platform security policies.

    Of course not without user interaction. Ours is a runtime application so implementing a lauchd daemon was not viable last we explored this. We use the SFAuthorization API to escalate privileges where required. The SFAuthorization class gives us an Authorization object that we can pass with other functions. Is there a way we can utilize this Authorization object with the keypair creation?~~

    Commenting formats it weird. Used as an answer

Add a Comment

Without user interaction? No, that would be a clear violation of platform security policies. 

Of course not without user interaction. Ours is a runtime application so implementing a lauchd daemon was not viable last we explored this. We use the SFAuthorization API to escalate privileges where required. The SFAuthorization class gives us an Authorization object that we can pass with other functions. Is there a way we can utilize this Authorization object with the keypair creation? 

Ours is a runtime application so implementing a lauchd daemon was not viable last we explored this.

I don’t know what “runtime application” means. Please elaborate.

Is there a way we can utilize this Authorization object with the keypair creation?

No.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I mean it's a one-time run application without an installer. But yeah we investigated setting up the lauchd service and found that it would not work with the setup we have.

I mean it's a one-time run application without an installer.

So, a GUI app that the user starts by double clicking the icon in the Finder?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

No, it's packaged in a .dmg that the user downloads from the browser every time it needs to be run

So after downloading the disk image what does the user do?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"