I have code where we're evaluating SSL certificates in sec_protocol_options_set_verify_block. We have the following code: let secTrust = sec_trust_copy_ref(trust).takeRetainedValue() isValidCertificate = SecTrustEvaluateWithError(secTrust, &error) I'm getting the error that the maximum temporal validity period has been exceeded: Error Domain=NSOSStatusErrorDomain Code=-67901 "“server.com” certificate is not standards compliant" UserInfo={NSLocalizedDescription=“server.com” certificate is not standards compliant, NSUnderlyingError=0x300ddd350 {Error Domain=NSOSStatusErrorDomain Code=-67901 "Certificate 0 “server.com” has errors: Certificate exceeds maximum temporal validity period;" UserInfo={NSLocalizedDescription=Certificate 0 “server.com” has errors: Certificate exceeds maximum temporal validity period;}}} When I inspect the certificate, it's valid for 394 days (4/16/2024 through 5/15/2025) and other than being a wildcard certificate, should be fully trusted. I can't find any information about this specific error. Is Apple requiring SSL certs to be less than 398 days now? Which brings me to the second part - we're OK using this to workaround it var trustFailureExceptions: CFData? = SecTrustCopyExceptions(secTrust) SecTrustSetExceptions(secTrust, trustFailureExceptions) But I haven't found anyway to be able to inspect trustFailureExceptions to ensure it only is this specific error. I'm concerned that otherwise this is going to open up validity exceptions for any certificate problem, which is definitely not what I want to do.

Before device Reboot: Here no issue from keychain. 2025-06-17 11:18:17.956334 +0530 WAVE PTX [DB_ENCRYPTION] Key successfully retrieved from the Keychain default When device is in reboot and locked (Keychain access is set to FirstUnlock) App got woken up in background SEEMS(NOT SURE) DEVICE STILL IN LOCKED STARE IF YES THEN WHICH IS EXPECTED 2025-06-17 12:12:30.036184 +0530 WAVE PTX <ALA_ERROR>: [OS-CCF] [DB_ENCRYPTION] Error while retriving Private key -25308 default 2025-06-17 12:15:28.914700 +0530 WAVE PTX <ALA_ERROR> [DB_ENCRYPTION] Error retrieving key from the Keychain: -25300 default —————————————————— And as per logs, here user has launch the application post unlock and application never got the keychain access here also. HERE STILL HAS ISSUE WITH KEYCHAIN ACCESS. 2025-06-17 12:52:55.640976 +0530 WAVE PTX DEBUG : willFinishLaunchingWithOptions default 2025-06-17 12:52:55.651371 +0530 WAVE PTX <ALA_ERROR> [DB_ENCRYPTION] Error retrieving key from the Keychain: -25300 default

I am developing a MacOS Authorisation Plugin, I have username and password entry items and utilising SFAuthorizationPluginView to display that. I am able to do so. Requirement is I have to store ed25519 private key in PEM format in System Keychain as I need to read this entry before login to sign a request to a remote server. I only want my authorisation plugin to access this private key in System Keychain. I am looking up resources on the internet but I could not find specific to macOS Authorisation plugin, many are specific to iOS and some point at using entitlements and app group, but I doubt that applies to macOS authorisation plugin. I'll really appreciate if some pointers are shared how can I store a private credential in System Keychain so that it can be used by only my plugin only, and this is before I have logged into the system.

I generate a keys using : let attributes: NSDictionary = [ kSecAttrLabel: label, kSecUseKeychain: getSystemKeychain()!, kSecAttrKeyType: kSecAttrKeyTypeEC, kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: 256, kSecPrivateKeyAttrs: [ kSecAttrIsPermanent: true, kSecAttrApplicationTag: tag, ] as [CFString : Any] ] var error: Unmanaged&lt;CFError&gt;? // Generate a new private key guard let privateKey = SecKeyCreateRandomKey(attributes, &amp;error) else { logger.error("failed to create a keypair \(String(describing: error))") return (nil, nil) } I keep getting this error : failed to create a keypair Optional(Swift.Unmanaged&lt;__C.CFErrorRef&gt;(_value: Error Domain=NSOSStatusErrorDomain Code=-2070 "internal error" (internalComponentErr) UserInfo={numberOfErrorsDeep=0, NSDescription=internal error})) The above code works absolutely fine on macOS Sonoma and older OS. This looks like a regression in the Apple API SecKeyCreateRandomKey(). What is a good workaround for this ?

In a project I was using Local Authentication to authenticate a user. When I got a request to support smartcard/PIV token authentication (which Local Authentication does not support), I had to switch to Authorization Services, which works pretty. There's only one issue I have. Local Authentication's evaluatePolicy:localizedReason:reply: requires a reason in the form "&lt;appname&gt;" is trying to &lt;localized reason&gt;. The app is currently translated into 41 languages and I would like to use the localized strings for the AuthorizationEnvironment of Authorization Services as well. The problem is that Local Authentication prefixes the localized string with something like "&lt;appname&gt;" is trying to and Authorization Services does not do this. Is there a way to get this prefix from somewhere so I can manually add it to the (partially) localized string? Any help would be highly appreciated. Thank you, Marc

I'm trying to add a generic password to the keychain and get back the persistent ID for it, and give it .userPresence access control. Unfortunately, if I include that, I get paramError back from SecItemAdd. Here's the code: @discardableResult func set(username: String, hostname: String?, password: String, comment: String? = nil) throws -> PasswordEntry { // Delete any existing matching password… if let existing = try? getEntry(forUsername: username, hostname: hostname) { try deletePassword(withID: existing.id) } // Store the new password… var label = username if let hostname { label = label + "@" + hostname } var item: [String: Any] = [ kSecClass as String : kSecClassGenericPassword, kSecAttrDescription as String : "TermPass Password", kSecAttrGeneric as String : self.bundleID.data(using: .utf8)!, kSecAttrLabel as String : label, kSecAttrAccount as String : username, kSecValueData as String : password.data(using: .utf8)!, kSecReturnData as String : true, kSecReturnPersistentRef as String: true, ] if self.synchronizable { item[kSecAttrSynchronizable as String] = kCFBooleanTrue! } if let hostname { item[kSecAttrService as String] = hostname } if let comment { item[kSecAttrComment as String] = comment } // Apply access control to require the user to prove presence when // retrieving this password… var error: Unmanaged<CFError>? guard let accessControl = SecAccessControlCreateWithFlags(nil, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, .userPresence, &error) else { let cfError = error!.takeUnretainedValue() as Error throw cfError } item[kSecAttrAccessControl as String] = accessControl item[kSecAttrAccessible as String] = kSecAttrAccessibleWhenUnlockedThisDeviceOnly var result: AnyObject! let status = SecItemAdd(item as CFDictionary, &result) try Errors.throwIfError(osstatus: status) load() guard let secItem = result as? [String : Any], let persistentRef = secItem[kSecValuePersistentRef as String] as? Data else { throw Errors.malformedItem } let entry = PasswordEntry(id: persistentRef, username: username, hostname: hostname, password: password, comment: comment) return entry } (Note that I also tried it omitting kSecAttrAccessible, but it had no effect.) This code works fine if I omit setting kSecAttrAccessControl. Any ideas? TIA!

I've written a little utility targeting Mac, for personal use. In it, I need to be able to select a file from an arbitrary location on my drive. I have the "user selected file" entitlement added, and I have added my application to "Full Disk Access." But I still get a permissions error when I select a file with the file-open dialog (via .fileImporter). I dragged the application from the Xcode build directory to Applications before adding it to Full Disk Access. Any ideas?

When we enable 3rd party authentication plugin using SFAuthorization window, then when user performs Lock Screen and then unlock the MAC. Now after unlock, if user tries to open Keychain Access, it is not getting opened. When trying to open Keychain Access, we are prompted for credentials but after providing the credentials Keychians are not getting opened. This is working on Sonoma 14.6.1 , but seeing this issue from macOS Sequoia onwards. Are there any suggested settings/actions to resolve this issue?

Hi, A certificate imported on macOS 15 using the security command with the "non-exportable" option was imported in an exportable state. I would like to know how to change this certificate to be non-exportable. Regards, CTJ

It seems there was a new security feature added to macOS 15 - and now it asks every time after reboot if user wishes to continue and allow access the app to record screen and audio, while capture is blocked. Which renders remote access apps useless, a specially for headless computers like my Mac mini.

Sign up not completed when I log to an app using apple id. What should i do?

When use apple login, It always failed, other app developer by me is success, but the new app failed, the code is the same, it tips Sign up not Completed

I have a sandboxed Mac app which I can grant access to a folder using an NSOpenPanel. Once it’s been granted access it can enumerate the contents of the folder just fine. If I rename the folder while the app is open and then make the app enumerate the folder’s contents again, though, it seems to have lost access. What’s the recommended way to have an app’s sandbox “track” files as they’re moved around the filesystem? (NSDocument handles this for you, from what I can tell.) I’ve managed to hack something together with a combination of Dispatch sources and security-scoped bookmarks, but it feels like there must be an easier solution …

Hi Apple Team and Community, We've encountered a sudden and widespread failure with the App Attest service starting today across multiple production apps and regions. The previously working implementation is now consistently returning the following error on iOS: The operation couldn’t be completed. (com.apple.devicecheck.error error 4.) (serverUnavailable) Despite the green status on Apple’s System Status page, this appears to be a backend issue—possibly infrastructure or DNS-related. Notably: The issue affects multiple apps. It is reproducible across different geographies. No code changes were made recently to the attestation logic. We previously reported a similar concern in this thread: App Attest Attestation Failing, but this new occurrence seems unrelated to any client-side cause. Update: An Apple engineer in this thread(https://developer.apple.com/forums/thread/782987) confirmed that the issue was due to a temporary DNS problem and has now been resolved. Can anyone else confirm seeing this today? Any insights from Apple would be appreciated to ensure continued stability. Thanks!

This is on macOS, not iOS. Not sure if that should make a difference? I have a GUI app and a command line tool (that will run a daemon) that I need to share credentials between. The keys/certs will be stored using the GUI app. But, both tools need to utilize them. guard let accessControl = SecAccessControlCreateWithFlags( nil, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, [.privateKeyUsage], nil ) else { throw KeychainCertError.keychainError(errSecAuthFailed, "Failed to create access control for private key") } // Define Key Pair Attributes let privateKeyAttributes: [String: Any] = [ kSecAttrIsPermanent as String: true, kSecAttrApplicationTag as String: privateLabel.data(using: .utf8)!, kSecAttrLabel as String: privateLabel, // kSecAttrAccessControl as String: accessControl, kSecAttrAccessGroup as String: keychainAccessGroup ] With the kSecAttrAccessControl commented out, I am able to generate a private key and generate a self signed certificate that is stored on the user login keychain. If I uncomment that line, I get an error to the affect of "Keychain error (-26275): Failed to generate key pair: A required entitlement isn't present" Also, to share the credentials, don't they need to be NOT on the user keychain for the daemon to access them? Any ideas what I am doing wrong? I think I'm a bit over my head here with the the security, crypto kit and openssl. 😁

Hello, I have a fully functional webauthn relying party that uses passkeys and I am trying to implement an iOS sdk for it. On the server, the AASA file is valid and well served at /.well-known/assetlinks.json. I verified its validity with branch.io and that it is indeed cached by Apple's CDN (https://app-site-association.cdn-apple.com/a/v1/service.domain.com), but even will all these I still get the following error when installing the app on a device and starting the passkey ceremony: Passkey authorization failed. Error: The operation couldn’t be completed. Application with identifier TEAM.com.APP is not associated with domain service.domain.com So I then checked the system log when installing the app on my iPhone, and under the swcd process (which is apparently responsible of fetching the AASA file) I found the following error: swcd: Domain is invalid. Will not attempt a download. The issue that I have is that my domain is actually an IDN, it has a special character in it. But everywhere I have used it, I converted it to ASCII (punycode). With this conversion, Apple's CDN is able to fetch the AASA file, and the passkey ceremony works fine on a browser. So I don't understand how the device (both iPhone or Mac) finds this domain to be invalid? In the app's entitlements, I added the capability for an associated domain, with webcredentials:service.domain.com with the domain name converted to ASCII (punycode) and developer mode doesn't address this issue as it appears when the app is installed (and is not related to Apple's CDN). The last thing I tried was to add the domain with special characters in the app's entitlements (for webcredentials:) but then Xcode was unable to install the app on the device, and gave the following error: Failed to verify code signature (A valid provisioning profile for this executable was not found.) which happened only with a special character in the domain in the app's entitlements. All this leaves me kind of in a dead end, I understand Xcode or iOS/macOS has a hard time with IDNs and special characters (so do I), but I have no idea on how to solve this (without changing the domain name), so I would really appreciate any help. Thanks in advance. PS: I tested all this previously with another domain without special characters and it was working. It also had dashes ('-') in it and the new domain converted to ASCII is basically a regular domain with '-' in it so I suppose there is some kind of conversion made from ASCII back to special characters and that then, the domain is considered as invalid, but this doesn't really help me a lot... PS2: My devices are running on iOS 17.4.1 and macOS 14.4.1 with Xcode 15.2

Hello, I have been testing my app with iOS 18 beta and noticing an issue with the triggering of Local Network privacy prompt. My app uses this permission to make a request to a local network address. Prior to iOS upgrade to 18 beta, the privacy prompt used to get triggered upon making the request and only after tapping on 'Allow', the subsequent requests used to succeed. If the user turned off the toggle for 'Local Network' in the app settings, then this functionality used to break as expected. Issues observed with 18 beta: The privacy prompt is not getting triggered upon making the request to local network and the request is succeeding. The app already seems to have this access granted but I do not see the permission toggle in the app settings. Upon device restart, the prompt got triggered but even on disallowing the access (tapping Don't Allow), the app is able to make requests to the local network. The permission toggle appears in the app settings, but its state does not impact the app's functionality. Has something changes in this flow? Can someone please help with what might be causing this behaviour?

I am trying to implement Apple Login on the web. The language I am using is PHP. I have created the App ID, Service ID, and Key. In the Service ID, I clicked the Configure button for Sign In With Apple and entered the domain and return URL. However, when I click the login button, I only get an "invalid_client" error screen.

Hi all, I’m trying to find a documentation about the supported encryption algorithms for p12 files to be imported in iOS. I can see in iOS 18 changelog that AES-256-CBC is now supported, but cannot find a detailed view on which list of algorithms are supported. Would appreciate it if you could point me in the right direction! Thanks in advance

Hi, I have a set of plugins which are registered for login. One of them is a custom ui view for the login screen. The scenario: 1.DisableFDEAutoLogin is false. 2.The User logs in to the file vault login screen. 3.The security plugins are activated, and working. 4.We get any kind of an error from the plugins, and therefore the login fails. 5.We get a native login screen, after the denial of authorization. 6.In case that DisableFDEAutoLogin is true, I do get the custom login screen, after the file vault login. My question: Why dont I see the custom login screen, after the auto login fails? Cheers Sivan