We need to store an encryption key in Keychain where it will be available for our network extension. This key is needed as soon as possible so asking from a helper application is not sufficient. We need to create and store it right from the NE.
The problem is, command SecItemAdd()
returns kPOSIXErrorEPERM
if used in network extension. This is probably because for NE the default keychain is System.keychain and modifying that could affect the whole system - but tried with all available keychains (SecPreferencesDomain
), none of them is writeable by NE.
The only solution we found so far is to add temporary entitlement com.apple.security.temporary-exception.files.absolute-path.read-write
with path /Library/Keychains/
but that will be a blocker to App Store.
Is there any way to store a key in Keychain right from the network extension?