Issue with System Keychain Access in macOS

Just a correct, a root process of the product is able to access system keychain. Only for local keychain another process is facing an issue. So local keychain is not accessible.

Are you aware of the different between the data protection and file-based keychains? If not, I recommend that you start by reading TN3137 On Mac keychain APIs and implementations.

The data protection keychain is only available to code running in a user context. It’s not accessible to third-party daemons.

The situation with the file-based keychain is more nuanced. Your access is determined by the keychain search list. For a daemon, that list generally contains just one item, the System keychain. For code running in a user context, that list typically contains the login keychain and the System keychain. However, access to a file-based keychain is also mediated by file system permissions. So, for example, code running in a user context is not able to modify the System keychain because the underlying file system permissions prevent that.

As to what’s going on with your product, it’s hard to say. The log messages you’re seeing are all red herrings. The “feature flag” that it references relates to the data protection keychain, not the file-based keychain, and you won’t be able to use that anyway.

You mentioned a “pkg”, which suggests an installer package is involved, which definitely complicates matters. So I’d like to clarify:

• Which programs are involved?

• How are those programs run?

• For each program, is it expecting to access the System keychain? Or some sort of user keychain? And, for the latter, is that a file-based keychain or the data protection keychain?

• And for each keychain access, is it a read or a write?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for your reply. I'll put it in another way, our application running in a user context which wants to create key in local keychain. But while creating key in local keychain SecItemCopyMatching failed with OSStatus code errSecInteractionNotAllowed.

We are using OSLog in our application which when collected for our debug purpose we came across below logs. Therefore shared in this ticket if it is relevant to the issue.

[com.apple.securityd:secitemratelimit] Not internal release, disabling SIRL
[com.apple.securityd:keychain] System Keychain Always Supported set via feature flag to disabled

Only on few devices we have seen that application is not creating key and every time above error message was seen in logs. Yes we don't want to use and we are not using any “feature flag” related to the data protection keychain. But thought of sharing com.apple.securityd logs if that is the reason for blocking our application to create key in local keychain.

For those reading along at home, I’ll be helping mpatole in a different context.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"