Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Don't import client certificates into Keychain on macOS. #2085
SecPKCS12Import is used to import a PKCS12 certificate on Darwin, generating a SecIdentityRef that can pass the certificate into Secure Transport.
On iOS SecPKCS12Import never stores the imported certificate into the Keychain. However on macOS this API will always store the imported certificate into the user's Keychain.
As this does not match iOS, and applications may not want to see their client certificate saved into the user's Keychain, the SecItemImport API can be used to obtain a SecIdentityRef without changing the Keychain.
SecItemImport is only available from 10.7 onwards, however this code was already wrapped in a CURL_BUILD_MAC_10_7 test and on macOS the replacement API is available on the same systems that SecPKCS12Import was.
It's very strange why there was no travis build for this PR! @refnum, would you mind for example rebasing this commit and force-push it to see if it can trigger a correct travis build then? The travis job builds and tests the PR with many different setups and helps making sure it is good!