Hi everyone, I'm developing a C++ plugin (.bundle) for a third-party host application (Autodesk Maya) on macOS, and I'm finalizing the design for our licensing system. The plugin is distributed outside the Mac App Store. My goal is to securely store a license key in the user's Keychain. After some research, my proposed implementation is as follows:
- On activation, store the license data in the user's login keychain as a Generic Password (kSecClassGenericPassword) using the SecItem APIs.
- To ensure the plugin can access the item when loaded by Maya, I will use a specific Keychain Access Group (e.g., MY_TEAM_ID.com.mywebsite).
- The final .bundle will be code-signed with our company's Developer ID certificate.
- The signature will include an entitlements file (.entitlements) that specifies the matching keychain-access-groups permission.
My understanding is that this combination of a unique Keychain Access Group and a properly signed/entitled bundle is the key to getting reliable Keychain access. This should also correctly trigger the one-time user permission prompt on first use. Does this sound like the correct and most robust approach for this scenario? Are there any common pitfalls with a plugin's Keychain access from within a host app that I should be aware of? Thanks for any feedback!
I suspect that the approach you’ve outlined won’t work. My understanding is that you’re building an in-process plug-in, that is, your plug-in’s code is loaded and executed within the host app. If so, you won’t be able to use a keychain access group because access to those is gated by entitlements, and you can’t change the entitlements of your host app.
Fortunately there’s an easy way around this: Use the file-base keychain rather than the data protection keychain. See TN3137 On Mac keychain APIs and implementations for more background on that topic.
ps I also recommend that you have a read of
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
