.NET sandboxed app on macOS does not see certificate in keychain imported by third party sandboxed app

[tsw-github]

Hello,
we have a dotnet application (.NET 10, C#14) that uses the SescureBlackbox libraries (v24.0.9470) to access the macOS (v26.2, M3) keychain. The application runs within the macOS platform in a sandbox, because we need it to communicate with the Safari web browser extension via App Groups, the application is not distributed via the App Store. We have currently noticed a problem that when a third-party application eToken (https://www.602.cz/e-token), which also runs in a sandbox and does not share an App Group or Keychain group with our application, issues a certificate and imports it into the keychain, our application does not see it. When we disable the sandbox for our application, we see the certificate fine. When we create a simple test application via XCode/Swift, it always sees the certificate in the keychain, whether it has sandbox enabled or not. Do you know what the problem could be? Thank you.

[vst121]

Hi,
What you’re seeing is expected behavior due to macOS sandboxing. When your .NET app runs in a sandbox, it can only access keychain items that belong to its own App Group or Keychain group. Certificates imported by a third-party app (like eToken) that isn’t in the same group won’t be visible.

When you disable the sandbox, your app can see all keychain items, which is why the certificate appears. The Swift/Xcode test app likely has broader entitlements or is not constrained in the same way, which is why it sees the certificate even in a sandbox.

This isn’t a bug with SecureBlackbox. It’s the expected macOS sandbox behavior. To access the certificate in a sandboxed app, it must be imported into a shared App Group or Keychain group that your app can access.