Rust binding for macOS Keychain Services, including TouchID-guarded access to cryptographic keys stored in the Secure Enclave Processor (SEP).
This binding aims to provide a thin wrapper using largely the same type names as Keychain Services itself, but also provide a safe, mostly idiomatic API which does not rely on e.g. Core Foundation types.
NOTE: This is an unofficial binding which is in no way affiliated with Apple!
This crate is experimental and may have bugs/memory safety issues. USE AT YOUR OWN RISK!
Below is a rough outline of the Keychain Service API and what is supported by this crate:
This crate has two suites of tests:
cargo test- run a minimal set of tests (e.g. in CI) that work everywhere, but don’t cover all functionality.
cargo test --features=interactive-tests --no-runcompile tests which require user interactions, and additionally must be signed by macOS’s code signing in order to work. See code signing notes.
The Keychain Service API requires signed code to access much of its
functionality. Accessing many APIs from an unsigned app will return
Follow the instructions here to create a self-signed code signing certificate: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
You will need to use the codesign command-line utility (or XCode) to sign your code before it will be able to access most Keychain Services API functionality.
Licensed under either of
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be dual licensed as above, without any additional terms or conditions.