Merge pull request #874 from smallstep/josh/mackms-key-after-first-unlock

joshdrake · web-flow · commit db83c7ccbf93 · 2025-10-14T15:26:30.000-05:00
Use 'AfterFirstUnlock' for access control of SE keys.
diff --git a/kms/mackms/mackms.go b/kms/mackms/mackms.go
@@ -261,7 +261,7 @@ func (k *MacKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespons
 			flags |= security.KSecAccessControlBiometryCurrentSet
 		}
 		access, err := security.SecAccessControlCreateWithFlags(
-			security.KSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+			security.KSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
 			flags,
 		)
 		if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -261,7 +261,7 @@ func (k MacKMS) CreateKey(req apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespons`
`261`	`261`	`flags \|= security.KSecAccessControlBiometryCurrentSet`
`262`	`262`	`}`
`263`	`263`	`access, err := security.SecAccessControlCreateWithFlags(`
`264`		`- security.KSecAttrAccessibleWhenUnlockedThisDeviceOnly,`
	`264`	`+ security.KSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,`
`265`	`265`	`flags,`
`266`	`266`	`)`
`267`	`267`	`if err != nil {`