为什么更新钥匙串物品密码会导致再次提示访问应用程序?

时间:2018-07-05 19:38:08

标签: macos security keychain

我正在使用macOS钥匙串服务存储通用密码。该密码应该可用,而无需系统上已有Apple应用程序的提示。我最初使用如下代码创建它:

itemName="Some Item"
appPath="/Applications/Some Apple.app"
security add-generic-password -a "$username" -s "$itemName" -w "$password" -T "$appPath" "$keychain"
security set-generic-password-partition-list -a "$username" -s "$itemName" -S apple: -k "$password" "$keychain"

这很好,并且该应用程序可以在不提示用户许可的情况下使用它。

但是,如果以后我要更新此密码,则当另一个应用需要密码时,即使该项目的ACL尚未更改,用户也会收到一次提示信息!

例如,运行代码后

private func updateAppPassword(user: String = NSUserName(), password: String) throws {
    let query: [CFString:Any] = [
        kSecClass: kSecClassGenericPassword,
        kSecAttrServer: "Some Item",
        kSecAttrAccount: user
    ]
    let newInfo: [CFString:Any] = [
        kSecValueData: password.data(using: .utf8)!
    ]
    try SecItemUpdate(query as CFDictionary, newInfo as CFDictionary).check()
}

…当用户启动使用密码的Apple应用程序时,必须授予权限。

这并不100%令人惊讶,因为我确实更改了项目,但是我不知道为什么更新它应该很重要,尤其是因为我在创建钥匙串时就保留了它们—在最初创建钥匙串之后项目没有提示!

之前之后都很奇怪,我运行代码来更新密码,我从测试钥匙串上的security dump-keychain -a得到了以下信息:

keychain: "/Users/me/Library/Keychains/dev-test.keychain-db"
version: 512
class: "genp"
attributes:
    0x00000007 <blob>="Some Item"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="vand065"
    "cdat"<timedate>=0x32303138303730353139303835385A00  "20180705190858Z\000"
    "crtr"<uint32>=<NULL>
    "cusi"<sint32>=<NULL>
    "desc"<blob>=<NULL>
    "gena"<blob>=<NULL>
    "icmt"<blob>=<NULL>
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303138303730353139313035305A00  "20180705191050Z\000"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="Some Item"
    "type"<uint32>=<NULL>
access: 5 entries
    entry 0:
        authorizations (6): decrypt derive export_clear export_wrapped mac sign
        don't-require-password
        description: Some Item
        applications (1):
            0: /Applications/Some Apple.app (status -2147415734)
    entry 1:
        authorizations (1): encrypt
        don't-require-password
        description: Some Item
        applications: <null>
    entry 2:
        authorizations (1): integrity
        don't-require-password
        description: 53f29c48f37f1d8993800d34b13495e926a1e8f64121c2f7e7a6d23128d1bb73
        applications: <null>
    entry 3:
        authorizations (1): partition_id
        don't-require-password
        description: apple:
        applications: <null>
    entry 4:
        authorizations (1): change_acl
        don't-require-password
        description: Some Item
        applications (0):

即密码更新似乎未对钥匙串项目或其ACL进行任何更改。那么,为什么用户必须再次授予“ / Applications / Some Apple.app”权限才能使用更新的密码?

0 个答案:

没有答案