Add SetUseDataProtectionKeychain for the data protection keychain#123
Open
alphaxdev wants to merge 1 commit into
Open
Add SetUseDataProtectionKeychain for the data protection keychain#123alphaxdev wants to merge 1 commit into
alphaxdev wants to merge 1 commit into
Conversation
go-keychain could only target the legacy file-based keychain on macOS, whose per-item ACLs can trigger "wants to use your keychain" prompts. macOS 10.15+ also exposes the data protection (iOS-style) keychain, opted into per call via kSecUseDataProtectionKeychain. The library had no way to set it: no setter, no exported key, and Item.attr is unexported. Add Item.SetUseDataProtectionKeychain(bool) and the exported UseDataProtectionKeychainKey attribute key. kSecUseDataProtectionKeychain is API_AVAILABLE(macos(10.15), ios(13.0)), below the README's stated minimums (macOS 10.9, iOS 8). Resolving the weak-imported symbol unconditionally at package init would pass NULL to CFStringToString and crash the whole package on older systems, so macOS resolves the key behind a __builtin_available guard and the setter is a no-op when it is unavailable. On iOS the data protection keychain is the only keychain, so the setter is a no-op there and never references the constant. Add unit tests covering key resolution, the setter, and CFDictionary marshalling. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
alphaxdev
force-pushed
the
data-protection-keychain
branch
from
931ab79 to
7cc7af4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
go-keychaincould only target the legacy file-based keychain on macOS, whose per-item ACLs can trigger "X wants to use your keychain" password prompts for apps not on the ACL. macOS 10.15+ also exposes the data protection keychain (the iOS-style keychain), where access is scoped by access group and entitlements instead. It is opted into per call viakSecUseDataProtectionKeychain, but the library exposed no way to set it — no setter, no exported key, andItem.attris unexported.This adds
Item.SetUseDataProtectionKeychain(bool)and the exportedUseDataProtectionKeychainKeyattribute key.Availability handling
kSecUseDataProtectionKeychainisAPI_AVAILABLE(macos(10.15), ios(13.0))— below the README's stated minimums (macOS 10.9, iOS 8). Resolving the weak-imported symbol unconditionally at packageinitwould passNULLtoCFStringToStringand crash the entire package on older systems, even for callers not using the new API. To avoid that:__builtin_available(macOS 10.15, *)guard. On older systems it resolves empty andSetUseDataProtectionKeychainis a no-op.SetUseDataProtectionKeychainis a no-op that never references the constant, andUseDataProtectionKeychainKeyis always empty.The README's stated minimum OS versions are therefore unchanged.
Usage
The flag must be set consistently across add/query/update/delete for a given item — the two keychains are separate stores.
Tests
Adds
keychain_test.gocovering key resolution (including the availability branch), the setter, and thebool→CFBooleanmarshalling path. These are hermetic — no real keychain writes, so no prompts.go build ./...,go vet ./..., andgo vet -tags ios .all pass.🤖 Generated with Claude Code