Docs suggest that keychain items can be shared among apps within a keychain access group.
Is it possible to share access to the key generated in Secure Enclave with a third-party app on macOS under the same login context?
IMPORTANT Because you’ve asking about SE-protected keys, that implies that the data protection keychain. The access control story for the file-based keychain is very different. For more background on this, see TN3137 On Mac keychain APIs and implementations.
Items stored in the keychain have a keychain access group attribute. For an app to be able to access an item, the item’s access group must match one of the groups that the app has access to. Sharing Access to Keychain Items Among a Collection of Apps describes how that list of accessible groups is formed. The upshot of these rules is that only apps from the same team can share keychain items.
Is it possible to share access to the key generated in Secure Enclave with a third-party app on macOS under the same login context?
That depends on what you mean by “third-party app”. I can see three possibilities:
-
A third-party app accessing an item in an Apple keychain access group — That’s not supported.
-
A third-party app accessing an item created by another app from the same team — That’s absolutely supported, per the discussion above.
-
A third-party app accessing an item created by an app from a different team — That’s not supported.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"