Suppress warnings for deprecated keychain APIs

[vcsjones]

I updated to Xcode 14.1 (14B47b) and started getting many warnings for deprecated Keychain APIs. The documentation indicates most of the APIs have been deprecated for a while. I don't know why I just started getting deprecation warnings for them. For example: https://developer.apple.com/documentation/security/1393109-seckeychainsetsettings?language=objc

There may be APIs that replace these, but first I want to get it back to building.

Closes #77907

[ghost]

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

I updated to Xcode 14.1 (14B47b) and started getting many warnings for deprecated Keychain APIs. The documentation indicates most of the APIs have been deprecated for a while. I don't know why I just started getting deprecation warnings for them. For example: https://developer.apple.com/documentation/security/1393109-seckeychainsetsettings?language=objc

There may be APIs that replace these, but first I want to get it back to building.

Author:	vcsjones
Assignees:	-
Labels:	area-System.Security
Milestone:	-

[akoeplinger]

I don't know why I just started getting deprecation warnings for them.

I diffed the MacOSX.sdk included in XCode 14.0 and 14.1 and looks like they forgot to add the deprecation annotations for Mac before and fixed that now on all of the APIs:

-OSStatus SecKeychainItemCopyKeychain(SecKeychainItemRef itemRef, SecKeychainRef * __nonnull CF_RETURNS_RETAINED keychainRef) API_UNAVAILABLE(ios, watchos, tvos, bridgeos, iosmac);
+OSStatus SecKeychainItemCopyKeychain(SecKeychainItemRef itemRef, SecKeychainRef * __nonnull CF_RETURNS_RETAINED keychainRef)
+API_DEPRECATED("SecKeychain is deprecated", macos(10.2, 10.10))
+API_UNAVAILABLE(ios, watchos, tvos, macCatalyst);

[janvorli]

Are there non-deprecated variants of those APIs? It seems it would be preferred to use those instead of disabling the warning.

[vcsjones]

@janvorli

Are there non-deprecated variants of those APIs? It seems it would be preferred to use those instead of disabling the warning.

I started looking at this and... I don't think so unfortunately. Apple appears to be on the path of deprecating file-based keychains according to this thread. From about a year ago:

The Keychain and SecKeychain APIs only talk to the file-based keychain. The SecItem API talks to either implementation. Specifically, it talks to the data protection keychain if you supply either the kSecUseDataProtectionKeychain or the kSecAttrSynchronizable attribute. If not, it talks to the file-based keychain.
The file-based keychain is on the road to deprecation. It is not officially deprecated, but some of the APIs surrounding it are. For example, SecKeychainCreate was deprecated in macOS 12. Moreover, new features, like iCloud Keychain, are only supported by the data protection keychain.

And further explained in this thread

this isn’t simply a case of specific keychain APIs being deprecated. Rather, the deprecation of the API is the first step along a path to deprecate the whole concept of the file-based keychain. The data protection keychain is the way forward here.

There would need to be significant development work to get us off of custom keychains. We can open a separate issue to track this.

[janvorli]

@vcsjones thank you for the details!

[vcsjones]

@akoeplinger @bartonjs I once again find myself wondering if this pull request should be back ported? Or is release/7.0 and release/6.0 on a permanent version of Xcode tooling?

[akoeplinger]

Yes we should backport it because we're using the AzDO hosted Mac pool so whenever they bump the Xcode version this will break.

[vcsjones]

/backport to release/7.0

[vcsjones]

/backport to release/6.0

[github-actions]

Started backporting to release/7.0: https://github.com/dotnet/runtime/actions/runs/3397271626

[github-actions]

Started backporting to release/6.0: https://github.com/dotnet/runtime/actions/runs/3397272585

[github-actions]

@vcsjones backporting to release/6.0 failed, the patch most likely resulted in conflicts:

$ git am --3way --ignore-whitespace --keep-non-patch changes.patch

Applying: Suppress warnings for deprecated keychain APIs
Using index info to reconstruct a base tree...
A	src/native/libs/System.Security.Cryptography.Native.Apple/pal_keychain_macos.c
A	src/native/libs/System.Security.Cryptography.Native.Apple/pal_x509_macos.c
Falling back to patching base and 3-way merge...
Auto-merging src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_keychain_macos.c
CONFLICT (content): Merge conflict in src/libraries/Native/Unix/System.Security.Cryptography.Native.Apple/pal_keychain_macos.c
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Suppress warnings for deprecated keychain APIs
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

[github-actions]

@vcsjones an error occurred while backporting to release/6.0, please check the run log for details!

Error: git am failed, most likely due to a merge conflict.