I am trying to use Firebase’s Remote Config in the context of an Authorization Plugin. I’m doing this in order to implement feature flag support in our Auth Plugin. When I try to fetch remote Firebase settings, I get a -34018 indicating that there is an error with access to the keychain on the Mac.
Based on https://forums.developer.apple.com/forums/thread/114456, I have an entitlement problem. It’s my impression that it is not possible to grant entitlements to an Authorization Plugin, so I’m wondering if this kind of keychain access that Firebase requires is simply not possible. Or, if perhaps there is something I can do with entitlements to get this to work?
Working with macOS 13.6.2, XCode 15.1
It’s my impression that it is not possible to grant entitlements to an Authorization Plugin
Correct. Your plug-in is hosted within a system process and it’s the entitlements associated with that process that hold sway.
so I’m wondering if this kind of keychain access that Firebase requires is simply not possible.
Right.
It’s not uncommon to encounter problems like this when building an authorisation plug-in. Standard practice is to move the problematic code to a launchd
daemon, and then have your authorisation plug-in use XPC to request that the daemon perform some operation on its behalf. However, this won’t work for the data protection keychain because the data protection keychain is not available outside of the standard GUI login context. That fact is documented in TN3137 On Mac keychain APIs and implementations.
My advice is that your work with this library’s vendor to see if you can configure (or adapt) it to work in a daemon context.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"