Use 'AfterFirstUnlock' for access control of SE keys.

joshdrake · joshdrake · commit f1da582433b0 · 2025-10-14T15:02:42.000-05:00
diff --git a/kms/mackms/mackms.go b/kms/mackms/mackms.go
@@ -261,7 +261,7 @@ func (k *MacKMS) CreateKey(req *apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespons
 			flags |= security.KSecAccessControlBiometryCurrentSet
 		}
 		access, err := security.SecAccessControlCreateWithFlags(
-			security.KSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+			security.KSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,
 			flags,
 		)
 		if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -261,7 +261,7 @@ func (k MacKMS) CreateKey(req apiv1.CreateKeyRequest) (*apiv1.CreateKeyRespons`
`261`	`261`	`flags \|= security.KSecAccessControlBiometryCurrentSet`
`262`	`262`	`}`
`263`	`263`	`access, err := security.SecAccessControlCreateWithFlags(`
`264`		`- security.KSecAttrAccessibleWhenUnlockedThisDeviceOnly,`
	`264`	`+ security.KSecAttrAccessibleAfterFirstUnlockThisDeviceOnly,`
`265`	`265`	`flags,`
`266`	`266`	`)`
`267`	`267`	`if err != nil {`