New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

29144482: macOS 10.12 Sierra doesn't respect keychain Access Control settings #16303

openradar-mirror opened this Issue Nov 7, 2016 · 1 comment


None yet
2 participants

openradar-mirror commented Nov 7, 2016


This is a duplicate of rdar://28981392

When importing a private key into a keychain applications that were explicitly whitelisted with the "-T" flag require additional authorization to use the imported key.

Steps to Reproduce:

  1. Use /usr/bin/security import key.p12 -T "/Applications/Google Chrome" -k ~/Library/Keychains/login.keychain to import a private key into the user's keychain, using the documented "-T" flag to allow Google Chrome to use the private key without further authorization
  2. Also import the matching certificate into the user's keychain, forming a valid identity
  3. Confirm that the identity is present in the user's keychain using Keychain and is valid
  4. Launch Google Chrome and navigate to a URL requiring the just imported client identity (cert + private key in Keychain)

Expected Results:
Google Chrome should use the client certificate and private key without further authorization requirements.

Actual Results:
Google Chrome (via SecurityAgent) asks whether the user wants to Allow, Always Allow or Deny accessing the private key from the identity in the user's keychain.

This issue does not exist prior to macOS 10.12 Sierra and in testing has been verified to not occur on either OS X 10.11 or 10.10.

It has been determined that by running security with the "set-key-partition-list" verb which appears to be new in macOS 10.12 like so: security set-key-partition-list -l "Imported Private Key" -S teamid:EQHXZ8M8AV -s ~/Library/Keychains/login.keychain a "second layer" ACL can be applied to whitelist all of Google Inc.'s applications via its Team ID (EQHXZ8M8AV). This requirement is not documented anywhere and is complicated by the fact that the "set-key-partition-list" verb requires the user's password either interactively or as part of the command line invocation. This requirement makes the verb impossible to automate without compromising security by supplying a plaintext password as part of the automation.

Product Version: 10.12
Created: 2016-11-07T20:52:02.616480
Originated: 2016-11-07T00:00:00
Open Radar Link:


This comment has been minimized.

Show comment
Hide comment

stephenquan Feb 15, 2017

I had a similar issue in our application, but, I found the security command needed was:

security set-key-partition-list -S apple-tool:,apple: -s -k $keychain_password $keychain

I had a similar issue in our application, but, I found the security command needed was:

security set-key-partition-list -S apple-tool:,apple: -s -k $keychain_password $keychain
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment