Hi everyone, I’m working an Objective-C lib that performs Keychain operations, such as generating cryptographic keys and signing data. The lib will be used by my team in a Java program for macOS via JNI. When working with the traditional file-based Keychain (i.e., without access control flags), everything works smoothly, no issues at all. However, as soon as I try to generate a key using access control flags SecAccessControlCreateWithFlags, the Data Protection Keychain returns error -34018 (errSecMissingEntitlement) during SecKeyCreateRandomKey. This behavior is expected. To address this, I attempted to codesign my native dynamic library (.dylib) with an entitlement plist specifying various combinations of: keychain-access-groups com.apple.security.keychain etc. with: My Apple Development certificate Developer ID Application certificate Apple Distribution certificate None of these combinations made a difference, the error persists. I’d love to clarify: Is it supported to access Data Protection Keychain / Secure Enclave Keys in this type of use case? If so, what exact entitlements does macOS expect when calling SecKeyCreateRandomKey from a native library? I’d really appreciate any guidance or clarification. Thanks in advance! Best regards, Neil

Hi everyone, I’ve been working on storing keys and passwords in the macOS Keychain using the Keychain Services API. Specifically, I’m leveraging SecAccessControlCreateWithFlags to bind items to access control flags, and overall, it’s been working smoothly. I have a question regarding the .applicationPassword flag of SecAccessControlCreateWithFlags. While it successfully prompts the user to input a password, there are no apparent password rules, even a simple “1” is accepted. My questions are: Is there a way to enforce strong password requirements when using the .applicationPassword flag? If enforcing strong passwords isn’t possible, is there an alternative approach to provide a predefined strong password during the creation process, bypassing the need for user input? With SecAccessControlCreateWithFlags, I noticed the item isn’t stored in the traditional file-based Keychain but in an iOS-style Keychain, is there a way to store it in a file-based Keychain while marking it as unexportable? I appreciate any insights or suggestions. Thank you! Neil

Dear Apple Developers, I am working on a macOS project where the container app acts as a server and communicates with a command-line program developed by my colleagues via a Unix domain socket. The macOS part was written using the new Network Framework. Here is a snippet of the code: let params = NWParameters() let socketFile = URL(fileURLWithPath: socketPath) params.defaultProtocolStack.transportProtocol = NWProtocolTCP.Options() params.requiredLocalEndpoint = NWEndpoint.unix(path: socketFile.path) params.allowLocalEndpointReuse = true self.listener = try! NWListener(using: params) listener?.newConnectionHandler = ... listener?.start() When my colleague's program needs to send data, it connects to the socket created by the macOS app, and the data is received perfectly—unless the macOS app is sandboxed. I have added outgoing and incoming connections entitlements to the macOS app. I tested my colleague's program both embedded in the macOS app and separately, ensuring to add the com.apple.security.inherit entitlement as well. However, it still doesn't work when the macOS app is sandboxed. The socket file's permission is srwxr-xr-x@ and is located in the containers folder when sandboxed, and srwxr-xr-x and HOME/Library/Application Support/MyApp when not sandboxed. What could be going wrong? Does the Network Framework support this use case, or do I need to revert to using AF_UNIX? Thank you for your assistance. Best regards. ps. My colleagues' program was written in go, using a standard function conn, err := net.Dial("unix", "socket_path_in_container"). It outputs invalid argument error when the macOS App is sandboxed.

Hello, I am working on a macOS VPN app using Network Extension's packet tunnel capability. When the container app (referred to as "App" below) and the network extension plugin (referred to as "NE" below) are signed with my development certificate, everything works perfectly. However, when they are signed with a Developer ID certificate, the network extension refuses to activate. Here are the details: The App has sandbox set to off, but the NE has sandbox set to on. I managed to archive and notarize both Developer ID signed App and NE. The Debug version and Release version don't use the same App ID or App Group ID to make sure there is no interference. I am aware that the NE entitlement value changes if signed by Developer ID. I followed the instructions and used packet-tunnel-provider-systemextension instead of packet-tunnel-provider. I tested adding System Extension capability into the App, but it made no difference. The activate tunnel function returns NEVPNError.Code.configurationInvalid, but I don't think the configuration is invalid. The same configuration works with a development profile. In the system console, I observed the following log messages: Looking for an extension with identifier {NE_BUNDLE_ID} and extension point com.apple.networkextension.packet-tunnel Found 1 extension(s) with identifier {NE_BUNDLE_ID} and extension point com.apple.networkextension.packet-tunnel Beginning extension request with extension {NE_BUNDLE_ID} Assertion 395-24105-185921 (target:[xpcservice<{NE_BUNDLE_ID}([osservice<com.apple.neagent(512863558)>:24105:24105])(512863558)>:42188]) will be created as active [0x12be187f0] activating connection: mach=false listener=false peer=false name={NE_BUNDLE_ID}.apple-extension-service Entitlement com.apple.application-identifier={APP_GROUP_ID} is ignored because of invalid application signature or incorrect provisioning profile Entitlement com.apple.security.application-groups=( {APP_GROUP_ID} ) is ignored because of invalid application signature or incorrect provisioning profile {APP NAME}[42130]/1#5 LF=0 copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier nor com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={numberOfErrorsDeep=0, NSDescription=Client has neither com.apple.application-identifier nor com.apple.security.application-groups nor keychain-access-groups entitlements} Any guidance or suggestions would be greatly appreciated. Thank you!

Hello Apple, I have an SwiftUI app and I am currently experiencing a layout issue in iOS 15, if the app is built by Xcode 13. SwiftUI View has a build-in blur modifier. My app has a lock/unlock feature, I use .blur(radius: ) to hide and unhide the home page. It has been working very well since the introduction of SwiftUI (iOS 13). However, with the app built with the new Xcode 13 for iOS 15. Changing the blur radius value can make the navigation bar overlap with the status bar (please see the screenshot). I did the following demo app to show the issue. import SwiftUI struct Item { let id: Int let name: String } class ItemManager { static func generate() -> [Item] { return [Item(id: 1, name: "Hello"), Item(id: 2, name: "World")] } } struct ContentView: View { @State private var isLocked = true var body: some View { ZStack { // Main Content NavigationView { ScrollView { ForEach(ItemManager.generate(), id: \.id) { item in NavigationLink(destination: Text(item.name)) { VStack(alignment: .leading) { HStack { Text(String(item.id)) Text(item.name) } .padding() Divider() } } } } .toolbar { ToolbarItem(placement: .navigationBarTrailing) { Button(action: { // Nothing }) { Image(systemName: "plus.circle") .imageScale(.large) .foregroundColor(.red) } } } .navigationTitle("Items") } .blur(radius: isLocked ? 20 : 0) // Without blur, there is no overlapping issue. if isLocked { Button(action: { isLocked.toggle() }) { Text("Unlock") } } } } } If .blur is removed or the radius value is 0 to 0, there is no overlapping issue. Does anyone know a workaround? Thanks in advance. Best, Neil