I am developing a macOS application (targeting macOS 13 and later) that is non-sandboxed and needs to install and trust a root certificate by adding it to the System keychain programmatically.
I’m fine with prompting the user for admin privileges or password, if needed.
So far, I have attempted to execute the following command programmatically from both:
- A user-level process
- A root-level process
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/cert.pem
While the certificate does get installed, it does not appear as trusted in the Keychain Access app.
One more point:
- The app is not distributed via MDM.
- App will be distributed out side the app store.
Questions:
- What is the correct way to programmatically install and trust a root certificate in the System keychain?
- Does this require additional entitlements, signing, or profile configurations?
- Is it possible outside of MDM management?
Any guidance or working samples would be greatly appreciated.
[my app] needs to install and trust a root certificate … programmatically.
On iOS and its various child platforms, there’s no supported way to do this and never has been.
The situation on macOS is more nuanced. Historically you could do this with keychain APIs. However, we’ve since added security hardening that prevents this. There’s now no supported way to achieve this goal.
In this respect macOS now follows iOS:
- In managed environments, you can install trusted roots via MDM.
- Otherwise, the system trust store is under the control of the user.
I suggest you rethink your product plans to account for this policy.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"