| 18 Nov 2025 |
 K900 | OK that's above my pay grade | 15:53:27 |
 WeetHet | It's not even an impurity since FODs still have a hash to verify that the output doesn't change | 15:53:59 |
| WeetHet | Why does it matter if they have access to the system Keychain | 15:54:09 |
| WeetHet | Minimized patch just adds (allow mach-lookup (global-name "com.apple.SecurityServer")) | 15:54:43 |
| WeetHet | Which should be fine TM | 15:54:52 |
 Randy Eckenrode | So, e.g., on Debian it would copy from wherever Debian keeps its certs? | 18:13:15 |
| K900 | Yes | 18:13:32 |
| Randy Eckenrode | Yes. Things that access Keychain will get different certs than those that don’t. | 18:13:43 |
| Randy Eckenrode | If Nix on Linux copies from the system, so should Nix on Darwin. | 18:14:18 |
| WeetHet | You can't copy those you need to give access to the security server | 18:14:54 |
| Randy Eckenrode | But copy not punch a hole in the sandbox. The reason being that not every application uses or can use the system API. | 18:15:07 |
| Randy Eckenrode | The daemon or whatever sets up the build can’t do it? | 18:15:30 |
| WeetHet | FOD sandbox already allows access to trustd | 18:16:45 |
| WeetHet | Again, it's the FOD sandbox we already allow network access | 18:17:00 |
| WeetHet | How much more impure do you want it to be | 18:17:09 |
| WeetHet | It would be entirely different if we were talking about the non-FOD sandbox | 18:17:41 |
| Randy Eckenrode | I actually am. | 18:17:54 |
| Randy Eckenrode | Because MDM breakage is a recurring issue. | 18:18:07 |
| WeetHet | You can't fix stuff using system tls in any other way other than allowing to access the service | 18:19:05 |
| WeetHet | The different option is to patch all of it to not use the system keychain at all | 18:19:21 |
| WeetHet | IF it can be patched at all | 18:19:33 |
| WeetHet | macOS comes with an assumption that there is a system keychain with TLS certificates | 18:19:56 |
 Katalin 🔪 | can you shim the keychain API? | 18:20:01 |
| WeetHet | Do you really think Apple would allow you to impersonate a system service? | 18:20:33 |
| WeetHet | That would be a giant security hole | 18:20:43 |
| Katalin 🔪 | hm, fair | 18:20:59 |
| WeetHet | We already allow access to trustd anyways | 18:21:21 |
| WeetHet | I would like there to be some sandbox for FODs as relaxed just disables it | 18:23:24 |
| WeetHet | If apps would need to be patched/worked around to work with native tls I'm not sure people would accept this as a valid tradeoff | 18:23:56 |
| Randy Eckenrode | It also assumes we are using Xcode. Should we give up on the whole endeavor? | 18:30:17 |
