Thursday, November 3, 2022

Mac Keychain APIs and Implementations


The Keychain and SecKeychain APIs always target the file-based keychain. The SecItem API can target either implementation. It defaults to targeting the file-based keychain. […] The file-based keychain is on the road to deprecation.


The SecItem API is well aligned with the data protection keychain. However, when you use it to target the file-based keychain it operates through a shim. That shim has limitations. Some of those limitations are inherent to the keychain implementation. For example, the access control model of the file-based keychain is completely different than that of the data protection keychain, and the shim can’t make up for that. However, some limitations are just bugs. To avoid such problems, target the data protection keychain. This is particularly important when you’re porting keychain code from iOS.


The data protection keychain can hold all keychain item classes (Internet password, generic password, certificate, key). macOS 11 and later synchronize all classes; earlier versions synchronize only the password classes.


The Keychain Access application supports both file-based keychains and the data protection keychain. The keychain list shows all the file-based keychains in the search list for the current user—typically this is just login and System—and the data protection keychain.

Note that Keychain Access now requires manual access granting for additional keychain files that you ask it to open.

Comments RSS · Twitter

Leave a Comment