[delinka]

Yes. It's not "access to the keychain" but "access to this item" and it's a simple "the binary $NAME with $DIGEST has permission to access this item."

Technically, if you can create another executable binary with the same name and digest, you can access the same keychain item.

[jakobegger]

nope. Keychain checks the code signature of the app.

[delinka]

Finding that hard to believe if the binary isn't code-signed.

[jakobegger]

You are right, I initially misread your comment, I thought it said that Keychain only checks the app name.

The security framework uses some kind of digest / signature to verify that the app hasn't changed if the binary is not code signed. Apple's docs are scarce on details, see eg [1] which just says that the security framework makes sure the app wasn't altered.

But I am pretty sure the app name is ignored. Most macOS services use the bundle identifier.

However, if the app is code signed, the security framework automatically grants newer versions of the app permission if they have been signed with the same certificate.

[1]: https://developer.apple.com/documentation/security/1400622-s...