Last Week on My Mac: The problem with macOS keychains

Over the last few weeks I have been revisiting keychains, in the light of Apple’s latest documentation, particularly its Technical Note for developers. I hadn’t appreciated the many differences between the file-based keychains of old, and the newer Data Protection variety that came with iCloud Keychain ten years ago. Nor was I aware that “the file-based keychain is on the road to deprecation”, something that Apple hasn’t yet spelled out to its users. There’s a catch, though, in that not all processes can access the Data Protection keychain. Yet again, deprecation looks like it’s going to cause trouble.

Internally, the problem is that the Data Protection keychain is only available for use by processes running in a user context, like apps and their extensions, but not by those run by launchd as daemons, executing outside a user context. At present, if file-based keychains were to be removed, a lot of services would be unable to run.

What the Tech Note touches on but doesn’t explore any further is the consequence on users and those who support them. I had assumed that iCloud Keychain only stored passwords (both Internet and generic in scope), but apparently it has been able to store and sync certificates and keys as well since Big Sur. The reason that we can’t take advantage of this is that the only app that can manipulate keychains, Keychain Access, intentionally only shows password items in the Data Protection keychain.

I would dearly like to save my Apple developer signing certificates in my iCloud Keychain, which would save me having to install them locally into the login (file-based) keychain on each Mac that I develop on. Although my iCloud Keychain apparently has that ability, there’s no means to make it happen.

The situation with passkeys is also severely constrained: while Passwords settings, and its equivalent in Safari, give access to passkeys stored in the iCloud Keychain, Keychain Access doesn’t even admit to their existence. It’s all very well intending to deprecate file-based keychains, but hobbling the user’s only access to their successors doesn’t help us transition to the Data Protection keychain.

The closest equivalent in the command line to Keychain Access is security, whose keychain options are similarly unsuited to working with iCloud Keychain.

There are further concerns over command tools. The two types of keychain also differ in their access control methods. File-based keychains use access control lists that work fine with Mach-O binaries such as command tools, but the Data Protection keychain uses keychain access groups that are built from an app’s code signing entitlements, authorised by a provisioning profile. For that to be embedded with the code for a command tool, it has to be wrapped in a dummy app-like structure to turn it into a bundle. Apple explains how to do that for a Launch Daemon in this article.

On the basis of the description in this one Tech Note, the road ahead for the deprecation of file-based keychains looks far from being straightforward:

A solution is required for processes run by launchd outside a user context.
Command tools requiring access to the Data Protection keychain will require provisioning profiles, entitlements, and to be wrapped in a bundle.
Any remaining apps (and currently that’s a lot of third-party products) will need to change the API they use to ensure they can access the Data Protection keychain. They will also need provisioning profiles and entitlements to do so.
Users and support staff need a replacement for Keychain Access that works with all categories of secret in the Data Protection keychain, and a replacement for keychain features in the security command tool. In particular, they will need to be able to manipulate certificates in that keychain.

I just hope that whoever has the road-map for this transition is going to tell us well in advance. Looking back over the last few WWDCs, it looks like there’s still a great deal of the journey to be explained and scheduled.

10Comments

Add yours

1

Tristan Hübsch on August 27, 2023 at 12:41 pm

Thank you for another clearly written installment of the “missing manual”! ((When you get a minute: “…wouldn’t be unable to run.” → “…would be unable to run.” ending the 2nd paragraph. 🤓))

LikeLiked by 1 person
- 2
  
  hoakley on August 27, 2023 at 12:48 pm
  
  Thank you. And thank you for spotting the typo, which I have corrected.
  Howard
  
  LikeLike
3

SarahB on August 27, 2023 at 2:01 pm

Thank you for all the research you did. So much still changing it seems. Even just system settings in Ventura was quite a shakeup and I’m still trying to get used to finding things in there.

I still don’t know what apple has planned for this M-series transition and its effect on the operating systems. It has me feeling unwell since I don’t even have one of the M-series devices yet.

I remember past transitions with power pc and intel, but never was so into macOS as I am now with so many mac’s here to manage. Quite an investment compared to just having one Mac in years past. I am stuck using these older Macs for quite a while longer.

Then how using 1password7 for me is a dead end with no road forward. Sometimes it takes apple longer to do something right. I hope this whole management of keychains and passwords will become something more understood and explained better soon. Currently it’s a start or even end, but needs more work.

LikeLiked by 1 person
- 4
  
  Duncan on August 27, 2023 at 4:04 pm
  
  “Then how using 1password7 for me is a dead end with no road forward.”
  
  Just curious – what do you mean by this? (I’m still using 1Password 6 myself as a local app – no cloud syncing – and it works fine.)
  
  LikeLiked by 1 person
  - 5
    
    SarahB on August 27, 2023 at 5:20 pm
    
    Hello Duncan, I guess I just mean as long as I can use 1pass7 I’m ok but if it ever stops working or being supported, no other way to move forward since I won’t ever use the new version where I can’t sync to my own vault offline. Sad they are so stubborn about letting us be in control of our own vault instead of forcing us to keep it on their servers.
    
    LikeLiked by 1 person
- 6
  
  hoakley on August 28, 2023 at 9:03 pm
  
  macOS running on Intel and Apple silicon Macs is almost identical. There are some differences, of course, but it’s all familiar territory.
  Howard.
  
  LikeLike
7

Theorist on December 13, 2023 at 6:32 am

“I would dearly like to save my Apple developer signing certificates in my iCloud Keychain, which would save me having to install them locally into the login (file-based) keychain on each Mac that I develop on.”

Assuming the new computer is running the same OS, could you simply copy the entire ~/Library/Keychains folder over to it, and thus transfer not only your login keychains, but your developer certificates as well?

I’m assuming you don’t want to use Migration Assistant, which does this automatically.

LikeLiked by 1 person
- 8
  
  hoakley on December 13, 2023 at 12:00 pm
  
  Thank you.
  That’s not an operation that I’d encourage, and I think you’d have to be booted from another disk to be able to replace the Login keychain successfully.
  My problems stem from the fact that I run several Macs, so when I get a new one, it usually doesn’t migrate from a predecessor, but is set up fresh. And adding a new certificate to each has to be done manually anyway.
  Howard.
  
  LikeLike
9

Theorist on December 13, 2023 at 6:42 am

….or are developer certificates instead typically stored outside user accounts in, e.g., /System/Library/Keychains?

LikeLiked by 1 person
- 10
  
  hoakley on December 13, 2023 at 12:01 pm
  
  Not here, the login keychain is preferred as it doesn’t require another password to open it.
  Howard.
  
  LikeLike

Share this:

Related