Hi,
I'm having a heck of a time trying to figure out getting Keychain to work with Touch ID on a Mac, and more specifically using Keychain with kSecAttrAccessControl. I'm familiar with using Keychain in normal circumstances, and spent some time learning about Access Lists, LocalAuthentication and general Touch ID practices. I've also downloaded and checked out the official Apple sample code for Touch ID (e.g. https://developer.apple.com/library/content/samplecode/KeychainTouchID/Listings/KeychainTouchID_AAPLKeychainTestsViewController_m.html), and that seems to work great on iOS. The problem is getting the same code to work with macOS, which it sounds like it should.
Basically, using any of the sample methods that create Keychain items with SecItemAdd, in a new or existing macOS project, results in a failure with error code -50, a.k.a. errSecParam. Narrowing this down further, it's the kSecAttrAccessControl SecAccessControlRef object that it's taking issue with, as removing this attribute from the dictionary lets me add Keychain items just fine. I've tried toying with SecAccessControlCreateWithFlags and other parameters around this fairly straightforward code with no success. Of course, kSecAttrAccessControl is required for Touch ID functionality and the sample code should work anyway.
Confusing matters even more, it seems that turning on the Keychain Sharing entitlement for my test project changes everything and will let me add items to Keychain with kSecAttrAccessControl just fine, though who knows to what extent this might create issues elsewhere. Either way, it's not an entitlement I want to add to my project.
This seems like a very straightforward task with not a lot of documentation or many other people talking about it. I've scoured the internet and played around with official (and unofficial) sample code for many hours now with no luck, which makes me wonder if this is a bug or if I'm somehow overlooking something really simple.
Using the latest High Sierra update and SDKs with Xcode 9, as well as the Xcode betas (no go with either). Any help would be appreciated.
The last time I tried this my iOS code moved across without any drama. The main gotcha relates to how you sign your app. Touch ID only works with the iOS-style keychain, so you need to sign your app such that it can use that. The easiest (only?) way to do that is to sign your app as a Mac App Store app.
ps If you’re not familiar with the iOS-style vs traditional Mac keychain dichotomy, check out this post, which explains some background to this.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"