问题
When an app saves an item to the keychain, macOS adds that app to the Access Control List so your app can access it later. If you try to access that item from a different app, macOS will show a system prompt asking the user if they want to allow access. This is documented here.
App Name wants to use your confidential information stored in "com.company.appname.key" in your keychain. To allow this, enter the "login" keychain password.
How does macOS know which apps have access? Is it by bundle id, signing certificates, location of the app on disk, something else?
In our app, we’re seeing this prompt unexpectedly when we try to access an entry we know only our app created so I’m trying to figure out why macOS thinks it's a different app. When I go view the item in Keychain Access it shows our app name listed in Access Control under "Always allow access by these applications" but the icon is a generic file, making me believe it thinks the new version of the app is not the same app. Note that I no longer have the old version installed.
回答1:
You can look at the code signing documentation.
Specifically, the section "Shipping and Updating Your Product", which has this to say (emphasis mine):
When you have qualified a new version of your product, sign it just as you signed the previous version, with the same identifier and the same designated requirement. The user’s system considers the new version of your product to be the same program as the previous version. For example, Keychain Services does not distinguish older and newer versions of your program as long as both are signed and the unique Identifier remains constant.
来源:https://stackoverflow.com/questions/58290058/how-does-macos-keychain-acl-determine-which-apps-have-access