Launch Daemon is not able to access keychain entries

Question

I have a command line process which is calling an API and fetching tokens from keychain. When I am running this process standalone with/without sudo from terminal, it is able to access the keychain entries. Now I have converted this into a launch daemon and trying to execute it as a launch daemon then it is not able to access token and giving me the error as "Failed to read stored item from keychain (status: -25308)". I am using the below plist for creating the launch daemon.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>TestAuth_SilentDaemon</string>
    <key>Program</key>
    <string>*complete path of TestAuth_SilentDaemon*</string>  
    <key>KeepAlive</key>
    <true/>
    <key>SessionCreate</key>
    <true/>
    <key>UserName</key>
    <string>admin</string>
</dict>
</plist>

Can someone please suggests what I am missing here?

Answer 1

It seems like it could be connected to the errSecInteractionNotAllowed. Error -25308 is errSecInteractionNotAllowed This usually means that you’re trying to access a keychain item that’s not accessible while the device is locked.

It's mostly described as iOS issue, but also MS docs talks that:

On macOS 10.15+, MSAL's behavior is the same between iOS and macOS. MSAL uses keychain access groups for keychain sharing.

Check out that answer: https://stackoverflow.com/a/9735506/1595293

Based on the post:

• https://developer.apple.com/forums/thread/114159?answerId=351330022#351330022