SecKeychainAddCallback(_:_:_:) along with Valet about valet HOT 4 CLOSED

@dfed @vamsig7 Just wanted to let you know I found a workaround to this issue and posted about it here: https://developer.apple.com/forums/thread/88888

I encountered this same issue today: callback function never fires if SecItemCopyMatching has been called, but fires fine if SecItemCopyMatching hasn't been called. I had success by removing the callback before calls to SecItemCopyMatching and then adding it back afterwards. Odd, but as far as workarounds go it's not the worst. Weirdly, it must be: remove callback, SecItemCopyMatching call, add back callback; SecItemCopyMatching call, remove callback, add back callback doesn't seem to work.

Edit: On second thought, the above at least works without kSecUseDataProtectionKeychain. I had unrelated issues when trying to test with kSecUseDataProtectionKeychain.

from valet.

Hi @vamsig7!

I haven't tried using this API before, so I don't know why this wouldn't be working for you.

I doubt we're doing something that's preventing these callbacks from being executed. I'm not sure how we would have managed to do that.

I'd warn you against using this API with Valet, since Valet uses locks to prevent simultaneous reads and writes from and to the keychain. These callbacks might be called from within the critical lock region, which depending on what you do in the callback could lead to a deadlock.

That said, the Discussion section of the documentation you linked does make it seem like notifications are triggered asynchronously, so maybe my warning isn't necessary.

In any case, it was never our intention to support this API — our intention was to build a library that enables folk who didn't want to dive into the details of keychain to easily store their data securely — and as such I am going to close this issue.

If you figure out what the issue is, please do let us know how you fixed it in a comment below 🙂

from valet.

Thanx for quick response as always 😍
I tried commenting each line cheking and I guess the issue is with
baseQuery[kSecUseDataProtectionKeychain as String] = true
line no: 64 in Valet/Sources/Valet/Internal/Service.swift , when I toggled it to false ,everything works as expected and callbacks are accurate

kSecUseDataProtectionKeychain .
Rather than issues with portability, does this attribute fix any security implications (or) What's the disadvantage of removing this flag?

Thank You

from valet.

Good sleuthing! It seems like the callback API only works the older implementation of the macOS keychain – that's unfortunate 😞

The reason for this key is outlined in #213 (comment): this key is required for utilizing the kSecAttrAccessGroup and kSecAttrAccessible fields, both of which we rely on for core functionality. I believe removing this key would result a bunch of unexpected behavior from Valet – accessibility fields would be ignored, and Valets with different identifiers would be able to read and write one another's values.

from valet.