The items are written to the older macOS filesystem keychain, not the data protection keychain. LAContext is being used as a user presence check, unrelated to protection of the keychain items. The XPC service is vended by a launch agent. While we're trying to wrap it inside a bundle, it won't be contained within an application. The bundle is intended to get an app icon to show on the LAContext-driven system dialog, nothing more.

Why are you trying to do this? I'm trying to do something similar. My ultimate goal is to interface the C-level SecKey API with some Go code, but I'm trying to validate that I'm doing things correctly by round-tripping some simple sign and verify tasks with CryptoKit and Secure Enclave keys. You seem to be mixing CryptoKit and the older SecKey API, which can be done but it’s a little weird. What would it look like? I'm getting the dataRepresentation from a SecureEnclave.P256.Signing.PrivateKey, then trying to recreate it for use by the SecKey APIs with this: bool verify(const UInt8 *privateKey, size_t privateKeyLength, const UInt8 *data, size_t dataLength, const UInt8 *signature, size_t signatureLength) {     CFDataRef keyData = CFDataCreate(NULL, privateKey, privateKeyLength);     void *attributeKeys[] = {         (void *)kSecAttrKeyType,         (void *)kSecAttrKeyClass,         (void *)kSecAttrTokenID     };     void *attributeValues[] = {         (void *)kSecAttrKeyTypeEC,         (void *)kSecAttrKeyClassPrivate,         (void *)kSecAttrTokenIDSecureEnclave     };     CFDictionaryRef attributes = CFDictionaryCreate(NULL, (const void **)attributeKeys, (const void **)attributeValues, sizeof(attributeKeys) / sizeof(attributeKeys[0]), NULL, NULL);     CFErrorRef error;     SecKeyRef privateKeyRef = SecKeyCreateWithData(keyData, attributes, &error); // ... } This "works" insofar as I am not getting any errors, but signature validation always fails.