Is SecKeychainAddCallback broken in High Sierra?

Question

Created Oct ’17

Replies 7

Boosts 0

Participants 4

Hi,

I'm using SecKeychainAddCallback in a multithreaded application (The thread that calls SecKeychainAddCallback, is the main thread which is in NSApplicationMain).

If any other thread tries to access the KeyChain (for example, by calling SecItemCopyMatching), the callback wont be called anymore. Calling SecKeychainAddCallback again also doesn't solve the problem.

This issue happens since High Sierra, previous MacOS versions don't show this issue.

Is this a bug in High Sierra, or is it just not allowed to use the KeyChain from multiple threads?

Kind regards,

Jochen

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’17

What

SecKeychainEventMask

values are you using?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

joch OP

Oct ’17

I'm using

kSecAddEventMask|kSecDeleteEventMask|kSecTrustSettingsChangedEventMask

0

Answer 3

DTS Engineer OP

Apple

Oct ’17

You wrote:

I'm using

kSecAddEventMask|kSecDeleteEventMask|kSecTrustSettingsChangedEventMask

.

But earlier you wrote:

If any other thread tries to access the KeyChain (for example, by calling
SecItemCopyMatching
), the callback wont be called anymore.

OK, I’m confused.

SecItemCopyMatching

doesn’t add items to the keychain. Or delete them. Or change their trust settings. Why would you expect your keychain callback to be called in that case?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

joch OP

Oct ’17

You are right, but my application doesn't modifies the keychain, it just wants to gets notified when another process has made changes in the keychain.

My application shall be notifed when Private Keys have been added/deleted or if the Trust of a certificate has been changed (For example by using "Keychain Access").

This works fine as long as I don't call SecItemCopyMatching in a second thread.

0

Answer 5

DTS Engineer OP

Apple

Oct ’17

You are right, but my application doesn't modifies the keychain, it just wants to gets notified when another process has made changes in the keychain.

Ah, I see.

This works fine as long as I don't call
SecItemCopyMatching
in a second thread.

Weird. I’ve no idea why that would break the notification mechanism. Please file a bug about this (then post your bug number, just for the record). If you’d like to see if there’s a way to work around it, you should open a DTS tech support incident and I, or one of my colleagues, can look into that.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 6

KenToo OP

Sep ’20

I don't know if Jochen ever filed a report, but I ran into this issue and I've been fighting with it the past couple days, so I did: FB8606748.

I haven't found a reliable workaround. It seems you can either query the Keychain, or you can get notifications when it changes, just not both in the same application. It doesn't seem to be entirely deterministic with respect to that call, though. Occasionally you can run a query and still get notifications, and occasionally even with no query you get no notifications.

- Ken

0

Answer 7

bstover OP

Sep ’21

I encountered this same issue today: callback function never fires if SecItemCopyMatching has been called, but fires fine if SecItemCopyMatching hasn't been called. I had success by removing the callback before calls to SecItemCopyMatching and then adding it back afterwards. Odd, but as far as workarounds go it's not the worst. Weirdly, it must be: remove callback, SecItemCopyMatching call, add back callback; SecItemCopyMatching call, remove callback, add back callback doesn't seem to work.

0