SecItem API and the future of file-based keychains

Referring to https://developer.apple.com/forums/thread/696431:

The data protection keychain is only available in a user login context. You cannot use it, for example, from a launchd daemon.

That's my scenario – I have a launchd privileged helper tool that needs access to keychain items (items that it creates and has exclusive access to, and items that may be required prior to user login). So this would appear to leave us with only one option – the System keychain. We can work with that (proof-of-concept shows that it works for us), but referencing the same forum post above:

The file-based keychain is on the road to deprecation.

So before I make a big migration to the System keychain, should I be concerned that the System keychain (being a file-based keychain) will go away in the future as well? If so, is there some other alternative that I should consider instead?

Up vote post of bombich Down vote post of bombich
619 views
Posted by
bombich
Reply
Add a Comment

Replies

So this would appear to leave us with only one option – the System keychain.

Correct.

is there some other alternative that I should consider instead?

Not now, no.

If you’re working a launchd daemon then your best option for storing secrets is the System keychain. We recognise that this is less than ideal but, given that the data protection keychain is unavailable in that context, the only other option is not use the keychain, which is definitely worse.

If you find yourself in a situation where you have to use the deprecated keychain APIs or implementation, please do file a bug about that, explaining the reason why this deprecated stuff is your only option. It’s likely that this will come back as a duplicate, but it’s also possible that your doing something unique. And, regardless, it’ll help the keychain team get a better handle on the scope of this issue.

If you do file a bug about this, please post your bug number here, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment