From c349353600120f79465fdcfaae581d5cd047416d Mon Sep 17 00:00:00 2001 From: Jamil Date: Tue, 14 Jan 2025 09:49:05 -0800 Subject: [PATCH] refactor(apple): Use `kSecUseDataProtectionKeychain` for token (#7756) This will force the macOS Keychain to behave like the iOS Keychain. To be honest, Apple's documentation is very much lacking in this regard, but some research suggests this is both heavily recommended by Apple and that it enables the Keychain operation to benefit from Apple's security hardware in their Macs. In my local testing, it also seems to make keychain operations more reliable when SIP is disabled, but that could be a fluke given the number of variables at play. https://developer.apple.com/documentation/security/ksecusedataprotectionkeychain Draft because stacked. --- .../FirezoneKit/Sources/FirezoneKit/Models/Token.swift | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/swift/apple/FirezoneKit/Sources/FirezoneKit/Models/Token.swift b/swift/apple/FirezoneKit/Sources/FirezoneKit/Models/Token.swift index b4d528098..e95aec3da 100644 --- a/swift/apple/FirezoneKit/Sources/FirezoneKit/Models/Token.swift +++ b/swift/apple/FirezoneKit/Sources/FirezoneKit/Models/Token.swift @@ -49,13 +49,17 @@ public struct Token: CustomStringConvertible { return try Keychain.update( query: query, - attributesToUpdate: [kSecValueData: data] + attributesToUpdate: [ + kSecValueData: data, + kSecUseDataProtectionKeychain: true + ] ) } let query = Token.query.merging([ kSecClass: kSecClassGenericPassword, - kSecValueData: data + kSecValueData: data, + kSecUseDataProtectionKeychain: true ]) { (_, new) in new } try Keychain.add(query: query)