Dealing with macOS Keychain Popups

Passenger 5.1.0 and 5.1.1 have a bug when used with the system Apache on macOS, the certificate is incorrectly added to the "certificates" section of the System Keychain instead of the "My certificates" section of your personal keychain. This has been addressed in 5.1.2 by providing the apache user with a private keychain while passenger is running.

Why is Passenger accessing my Keychain?

Passenger 5.1 and later include a security update check, which periodically contacts Phusion's server to check if an update is available, and whether the update contains security fixes. One of the mechanisms that Phusion has employed to maintain the security of this system is to enforce both server-side and client certificates. The client-side is implemented using libcurl, which on macOS (Mavericks or later) is backed by the macOS Security framework and a small shim in libcurl called darwinssl.

One peculiarity of the macOS Security framework is that many of its functions import certificates into the Keychain, or default to using a certificate in the Keychain if one exists. One such function is used by the darwinssl shim in libcurl when loading a client certificate. Unfortunately the darwinssl shim doesn't authorize libcurl to use the client certificate when it loads it, which would result in a popup from Keychain asking for permission to use the private key from the certificate every time Passenger tried to contact the update check server. We have taken the following steps to prevent this popup from happening:

  • Passenger prepares an access rights object to allow itself to use a certificate that it loads.
  • Passenger uses said access rights object while loading the client certificate manually before libcurl has a chance to.
  • Loading the client certificate in this way adds it to the keychain with Passenger authorized to use it.
  • Passenger then calls libcurl to load the client certificate, which is automatically provided from the Keychain, with the correct access rights.
  • Passenger makes the https call to the update check server.
  • Passenger then removes the client certificate from the Keychain. (For more details on why this is necessary you can read this blog post).

macOS Keychain popups

If you are seeing a Keychain popup mentioning Passenger, or you saw a message in your logs mentioning a certificate or popups, then it is likely that the certificate has not been correctly removed from your keychain. In this case the following procedure should rectify the problem:

  • Stop Passenger
  • Open Keychain Access.app
  • Choose the "login" keychain in the sidebar
  • Choose the "My Certificates" category in the sidebar
  • Search for Passenger
  • Open the disclosure triangle next to any certificate labeled with Passenger
  • Click the private key in the certificate
  • Delete the private key
  • Repeat for any remaining certificates
  • Start Passenger and check for popup

If after following this procedure you still see Keychain popups, please contact Phusion support and we will be happy to help you.