SecItem created with kSecAttrAccessControl is not visible in the keychain

Question

Created Mar ’22

Replies 5

Boosts 0

Participants 2

I'm trying to save a password to the keychain using the kSecAttrAccessControl attribute to control access. This is the code I'm running:

		let access = SecAccessControlCreateWithFlags(nil, kSecAttrAccessibleWhenUnlocked, .userPresence, nil)

		let attributes = [kSecClass: kSecClassGenericPassword,
					kSecAttrService: forPath,
					  kSecAttrLabel: "My Password",
			  kSecAttrAccessControl: access as Any,
					  kSecValueData: password.data(using: .utf8) as Any] as CFDictionary

SecItemAdd(attributes, nil)

The item is being created and I can find it using SecItemCopyMatching but it is not visible in the Keychain Access app.

If I remove kSecAttrAccessControl from the list of attribtues, then the created item is visible in Keychain Access.

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’22

kSecAttrAccessControl means you’re using the data protection keychain. Keychain Access shows such items in the iCloud keychain (Local Items if you don’t have iCloud Keychain enabled) rather than the standard login keychain. Are you looking for your item there?

ps If you’re unfamiliar with macOS’s many keychain APIs and implementations, see On Mac Keychains.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

silvanchetcuti OP

Mar ’22

Yes I am looking in all keychains - I don't have iCloud Keychain enabled so for me it's Local Items and login

0

Answer 3

DTS Engineer OP

Apple

Mar ’22

Is this a standard macOS app? Or a Mac Catalyst app? [1]

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I’m going to presume its not an iOS Apps on Mac app (-:

0

Answer 4

silvanchetcuti OP

Mar ’22

correct, this is a standard macOS application

0

Answer 5

DTS Engineer OP

Apple

Mar ’22

Thank for confirming.

At this point I’m out of ideas. IMO kSecAttrAccessControl shouldn’t work at all in this context because you’re not targeting the data protection keychain (there’s no kSecUseDataProtectionKeychain or kSecAttrSynchronizable attribute).

I recommend you open a DTS tech support incident so that I can allocate time to figuring out what’s going on here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0