Support the data protection keychain on macOS #240
Comments
|
Hmm looks like the edge case I was worrying about in our previous discussion. MacOS ends up with multiple credential stores, then selecting on as default becomes an opinion. |
Luckily it's not quite that bad :). The mac keychain credential store already has the notion of "which keychain to use" built in: that's what the target parameter determines. So from an API point of view, this just means I need to add a new target selector to identify that the user wants to use the protected keychain rather than one of the macOS file-based keychains. As to which keychain should be the default one, I'm going to leave it as the login (aka "user") keychain for backwards compatibility. People who want to use the protected keychain will need to specify it as their desired target. |
For historical reasons, the macOS credential store only supports the file-based keychain, not the more-modern data-protection keychain that syncs with iCloud and iOS. It would be great to introduce support for the data-protection keychain.
Ideally, the data protection keychain would be the default, but that would orphan keychain entries created in earlier versions unless an extra check were done on reads. Perhaps auto-migration could be done of older entries.
The text was updated successfully, but these errors were encountered: