> On 23 Jul 2016, at 06:41, Jens Alfke <j...@mooseyard.com> wrote: > > >> On Jul 22, 2016, at 2:46 AM, Gerriet M. Denkmann <gerr...@mdenkmann.de> >> wrote: >> >> When it gets some streams it will show a panel: >> “MyApp wants to sign using key “something” in your keychain” / “Allow” “Deny” > > Presumably this app is either acting as an SSL server, or is sending SSL > clients. It is acting as a server using NSStreams with TLS Security.
> Either of those roles involves signing data using the private key associated > with the certificate, to prove you own it. If the app hasn’t previously used > that private key, the Keychain will ask your permission to let the app use > it. That’s the alert. Then it updates the key’s access control list to > remember your app has access. But this access is (usually) invalidated when > the app binary is modified, so you’ll (usually) see the alert again if you > modify the app and run it again. This might be a problem: in another app (using another certificate) I once clicked “Always Allow” and have since then rebuild and modified the server countless times, and never seen this panel again. > >> The problem: sometimes I do NOT get this panel, and the app behaves as if I >> had clicked “Deny”. > > Huh. Had you previously denied the alert? I may have done so once (a long time ago) to see what the result would be. But since then, I always click on “Always Allow”. > Maybe the security framework hasn’t noticed that the app changed and is still > using the old Deny permission set before. As I said: before 11.6 just quitting and rerunning the app fixed this issue. Now I have to go through some contortions: like running the debug version, then the release version; make some modifications; run it again; until it finally decides the show the magic panel. > >> Where is this info: < “MyApp is allowed to use key “something”> stored? > > In the Keychain item for that key. You can look at and modify the permissions > in the Keychain Access app. I looked at the certificate in the Keychain Access app: it tells me (under “Trust”) that: When using this certificate: “Use System Defaults" all other points: “no value specified” But I cannot find any mention, which app has been allowed or denied access to this certificate. Oh, I just found under Keys → Access Control: “Confirm before allowing access” is checked. “Always allow access by these applications:” lists: Application-Group ??? racoon “racoon is used to setup and maintain an IPSec tunnel or transport channel, between two devices, over which network traffic is conveyed securely. “ maybe needed - I don’t know Certificate Assitant.app (twice) looks reasonable (but why twice?) Mail.app (what has Mail to do with my Streams? This does not look right) My app several dozen times - hovering over an item one sees the path: DerivedData…Release (several) DerivedData…Debug (some), /Applications (ca. 10) I copied my app to /tmp and ran it from there. It asked for permission to use the keychain (ok - “Always Allow”). But I can find no mention of this copy of my app in the Keychain Access app. Quit/Restart Keychain Access app fixed this. Then copied my app to /tmp/Test and ran it. It did NOT ask for permission (but works fine). Removed /tmp/MyApp from the list in Keychain app. Restarted /tmp/Test/MyApp - now it asks for permission. Removed all mentions of MyApp from the list in Keychain app (left just one with /Applications). Started my app - it asked for permission - now Keychain app has two: MyApp (both in /Applications). Something seems to be messed up. Thanks for your help! Kind regards, Gerriet. _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
