Re: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
Re: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
- Subject: Re: How to silently use Proxy authentication credentials from Keychain, like Safari, Mail, etc.
- From: Ken Thomases <email@hidden>
- Date: Tue, 06 Sep 2016 09:01:28 -0500
On Sep 6, 2016, at 7:36 AM, Motti Shneor <email@hidden> wrote:
>
> I doubt all Apple preinstalled applications have free access to any keychain content (passwords), or else any Apple application would serve as a potential vulnerability and the whole point of encrypted key-chains wouldn’t worth much. I think there is some kind of trust, but it is not based on signature.
It is indeed base on the code signature.
> Maybe it is the same “trust” normal apps can get when user presses “Allow” or “Always allow", only certain applications get this trust “preinstalled” ?
When the user chooses Always Allow, an entry is added to the keychain item's Access Control List (ACL) using the app's code signature as the identifying credential. If the app isn't code-signed, the system generates an ad hoc signature, but that is specific to that exact binary. A proper code signature is specific to the signing ID plus the app bundle ID and so a new version is still recognized as the same app as an old one and the user doesn't have to re-confirm access.
I don't know if all Apple-signed apps have access, if only some do (based on bundle ID), or if it's implemented some other way. You could check the Access Control tab of the item in Keychain Access. That may be informative but I don't know if it's definitive.
Regards,
Ken
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden