Client Cert authentication fails in macOS Ventura with munki.keychain

[rrenstrom]

In macOS Ventura 13.0 (22A380), Munki can't find the client certificate to use for server authentication when the cert is stored in the munki.keychain (created from a certificate file on disk, using Munki preferences UseClientCertificate and ClientCertificatePath).

This shouldn't be a problem if the cert is delivered to devices via an MDM payload (CertificatePKCS12 or SCEP), which stores the cert in the System keychain, rather than the munki.keychain.

The munki.keychain is added to the keychain search list for the User domain, which worked on prior macOS versions, but Ventura isn't allowing Munki to access keychains in this domain.

This problem is only seen in launchd managedoftwareupdate jobs (automatic hourly runs, or triggered by launchd from Managed Software Center). It works when managedoftwareupdate is run from command line in Terminal, since that operates in the User domain context.

This failure appears in the ManagedSoftwareUpdate.log as the inability to retrieve files from the server repo (eg getting a manifest), or as 'Download error -999: cancelled', and with LoggingLevel set to 3, 'Could not list keychain certificates'. Munki may crash after this.

I've created PR #1162 to address this problem by adding munki.keychain to the Common domain keychain search list, rather than the User domain. The Common domain is for all users and the system.

[gregneagle]

The PR was merged to Munki6dev and will be in the next release of the Munki tools.