Since file-backed keychains are being deprecated in favor of the iOS-style / data protection keychains, is there an equivalent to storing device-wide credentials/keys in the System Keychain with this new model?
In my specific use-case, I ideally would want to make use of a signing key pair generated in Secure Enclave throughout all OS users (for device identity attestation purposes). However, based on my limited research, it doesn't look like the Secure Enclave key reference stored in the new keychain would be accessible by other users.
In case it can help, here's the dictionary of attributes that I pass to SecKeyCreateRandomKey when creating that key:
{
kSecAttrAccessGroup: "<team identifier>.<bundle identifier>.signingkey",
kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom,
kSecAttrTokenID: kSecAttrTokenIDSecureEnclave,
kSecAttrKeySizeInBits: @256,
kSecAttrLabel: "CustomAppSigningKey",
kSecPrivateKeyAttrs: {
kSecAttrIsPermanent: @YES,
kSecAttrAccessControl:
SecAccessControlCreateWithFlags(
kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
kSecAccessControlPrivateKeyUsage, nullptr)
}
}
is there an equivalent to storing device-wide credentials/keys in the System Keychain with this new model?
No. To quote On Mac Keychains:
The data protection keychain is only available in a user login context. You cannot use it, for example, from a
launchddaemon.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"