The application always asks for permission to access keychain

I have an application that stores a username and password in a keychain. Everything worked fine when working with Xcode 3, I recently switched to Xcode 4, and now when I launch the application, I get a prompt:

Application wants to use your confidential information stored in keychain" in your keychain.

After the hit, I always allow you to see the application added to the access control list of the keychain element, but I get it every time I start the application.

Also after hitting Always allow again, I see that the access control has two instances of the same application. Looks like OS considers this a new application.

Any ideas appreciated.

+6
source share
1 answer

I believe that the problem is that the indicated requirement that you indicated makes it not accept itself as “the same application” as it is (for Keychain purposes).

One of the common reasons for this - and I think this is yours - uses the application certificate to certify the developer, without an assigned requirement and without an intermediate certificate installed.

The standard requirement for a developer identifier is as follows:

 designated => anchor apple generic and identifier \"com.example.appName\" and ((cert leaf[field.1.2.840.113635.100.6.1.9] exists) or (certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = \"1AZBYCXDW9V\" )) 

If you want to build it yourself, you need to replace the identifier with the identifier of your package and subject.OU with the value from your certificate. (If you double-click it in Keychain Access, it should be specified as the organizational unit.) Then you can add to the "Other code signing flags":

 --requirements "=designated ..." (the whole mess from above) 

However, a much better way to do this is to use Xcode 4.3.2 or later. If it recognizes that you are using the application’s developer ID certificate, and you can see the intermediate certificate in the key chain, it will generate this by default.

In addition, if you use the archive organizer in Xcode for the “Export Developer ID-signed Application”, instead of just using the assembly from its target directory, it will definitely sign your application and any other private subscribers, and this will verify that everything is configured right. (The errors are rather cryptic, for example, your "Choose a developer identifier for logging in" may simply not have a choice, with a message to syslog that does not have any useful information - but at least the fact that it failed or succeeded, narrows where your problem is.)

In any case, you need to download and install (on your build machine) an intermediate certificate called "Certificate Identity Certification Authority with a Certificate" from the link "Intermediate Developer Certificate" on the Certificate Utility for Developers page.

Last: even if this solves your problem on your build machine, you really want to test the oldest version of the operating system that you support. For example, requirements compiled by Lion codes can sometimes not be analyzed on Leopard, and sometimes even on Snow Leopard. If this happens ... see Gatekeeper vs. Leopard: current story .

+3
source

Source: https://habr.com/ru/post/919177/


All Articles