The feedback in case anybody wants to follow its status: https://feedbackassistant.apple.com/feedback/9571299

Thanks Quinn!, The tip on using NSDictionary is great and I have been reading up on kSecUseDataProtectionKeychain. Alas, my code is destined for a helper, but this is all good to know none the less. Cheers Mighty Quinn

My response is in the Answer below.

I also made sure that I have a bundle identifier and I'm not sure if it matters but the application is a 'command line application', not sandboxed and nothing is checked in hardened runtime , signing is automatic and I have dev certificate and my testing is on a system where I have a GUI (not ssh'd in or anything like that). The way I'm building and executing is using the 'play/debug' button in Xcode.

Hi Quinn, I unfortunately I'm pretty new to these frameworks (hence trying out the demo code). I'm not sure what the data protection keychain is. I used the security tool to list the keychains on my system security list-keychains and only found the login and system keychains. I did try out my code with different SecPreferencesDomain to explicitly use user, common and system and running my debug scheme as root where necessary. It didn't change the behavior. The certificate did get added to the System keychain where you would expect, but retrieval using the 'kSecAttrLabel' attribute in a query was still unsuccessful. If data protection keychain has a different meaning can you please point me to a doc page. I've read through this and sub pages and apis several times: https://developer.apple.com/documentation/security/keychain_services ... as well as this: https://developer.apple.com/documentation/security/certificate_key_and_trust_services ... and this: https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web ... as well as the usual googling of 'macOS dataprotection keychain' and I'm coming up blank. Do you mean explicitly setting an ACL for the Keychain Item? Would that matter if it's the exact same OS process?

Hi Matt, I took the certificate in the source I posted and put it in a file in /tmp/test.pem and ran openssl x509 -in ./test.pem -out test.der -outform DER to convert it to a DER formatted file (which im 99% sure is what my original code produced (pem comment header and footer lines removed and newlines removed and base64 decoded). Loading DER format directly from a file like so: let CertDER = try Data(contentsOf: URL(fileURLWithPath: "/tmp/test.der")) didn't make a difference. It still saved to the keychain fine and was retrievable using the kSecMatchSubjectContains attribute but not the kSecAttrLabel attribute .