• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag
 

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: NSURLDownload and http proxy username/password
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSURLDownload and http proxy username/password


  • Subject: Re: NSURLDownload and http proxy username/password
  • From: "Quinn \"The Eskimo!\"" <email@hidden>
  • Date: Tue, 12 Jul 2011 15:34:48 +0100

On 5 Jul 2011, at 18:01, Elliott wrote:

> After messing with this stuff for a while, I do see that the http proxy username and password are stored in the login.keychain.  Is there a suggestion for accessing this as a root launchd daemon?

No.  It's not possible to access a user's keychain reliably from a daemon (there may be no user logged in, or multiple users logged in, or the user's keychain might be locked).

> I managed to get the username out of the keychain and was able to get the password out at least during one test, but now when I try to get the password out of the keychain via SecKeychainFindInternetPassword, I get -25308 which is "User interaction is not allowed."  I'm guessing this means that since I'm running as a daemon that I can't get the OS to bring up an authentication dialog.

That's correct, but it's more subtle than that.  A lot of the time you get this error not because the system is trying to unlock the keychain, but because the system is trying to confirm a change to your code's identity.  That is, the keychain item's ACL says that the item was created by code X, but you're code X+1, and the system is trying to confirm that with the user that X+1 is equivalent to X.

> Is there a best way to do this as a daemon?

It's definitely possible to store items in the system keychain as a daemon.  Some gotchas:

o You must be running as root; a root process is always allowed to unlock the system keychain, so you shouldn't have a problem with locked keychains.

o You *really* want to sign your code.  This will allow the system to verify that version X+1 of your product is the same as version X, which will avoid user confirmation dialogs and the errors they cause.

o If the item is going to be accessed by multiple programs, you will need to set the ACL correctly.

o When working with keychains, make sure you specify the system keychain (kSecPreferencesDomainSystem).

S+E
--
Quinn "The Eskimo!"                    <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >Re: NSURLDownload and http proxy username/password (From: Elliott <email@hidden>)

  • Prev by Date: Re: Releasing CFHost
  • Next by Date: Re: create vpn/pptp connection programmatically
  • Previous by thread: Re: NSURLDownload and http proxy username/password
  • Next by thread: create vpn/pptp connection programmatically
  • Index(es):
    • Date
    • Thread