-
-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security.framework fails to access keychain on Darwin #15889
Comments
Apple has some of their own patches that they apply to OpenSSL and OpenSSH. I'm wondering if one of those being missing is causing the issue. Right now OpenSSL and OpenSSH are built from source but Apple provides some magic patches when they build them. iOpenSSL and iOpenSSH have some differences from their sources. Specifically this "Trust Evaluation Agent" that Apple has basically bypasses OpenSSL's builtin root certificates. And Apple uses this patch to get it to work. Could you try running the first two commands that worked before again but this time set "OPENSSL_X509_TEA_DISABLE" to 1? If they don't work now, then we at least know that we need to build in "TEA" support with Libsecurity. It's possible this has nothing to do with that but it's just my hunch that Apple's got some special stuff baked into its version of OpenSSL. |
@matthewbauer I tried On the other hand, seeing Nix-built binaries works when running The main difference between Nix-built, Nix-and-sudo and the native build I have found so far is that native build and Nix-and-sudo tries to access Interesting enough, in the syslog there is |
Are there any updates to this issue, please? |
Not much from my side. #38624 could be a potential fix but it cannot be implemented due to private key management issue. With Apple getting more and more restrictive I'm not sure if there's any way around this except linking against system |
Thank you for your contributions. This has been automatically marked as stale because it has had no activity for 180 days. If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity. Here are suggestions that might help resolve this more quickly:
|
Issue description
Security.framework that were installed inside Nix could not access the keychain and cause packages that relies on SecureTransport on Mac OS X to fail (e.g. aria2 #15029, go #10875) with errors such as
-9808
(errSSLBadCert) or-67674
(errSecMDSError).The attached reduce test cases (see steps to reproduce), when compile under non-Nix-ified environment,
DarwinSecurityHandshake
will attempt to make a SSL handshake to example.com:443 and print a message, andDarwinSecurityCerts
will read the certificate store and print the number of certs installed:Both files will fail when compile under
nix-shell -p darwin.apple_sdk.frameworks.Security -p clang
:However, it will pass when the Nix-compiled binaries are run under
root
:Steps to reproduce
nix-shell -p darwin.apple_sdk.frameworks.Security -p clang
and compile it.Technical details
The text was updated successfully, but these errors were encountered: