[ghusto]

> the keystore database records the code signing identity of each app that creates an entry, and any other app that tries to access those credentials will trigger a permission check by the OS

Except for the CLI, which had full access to the keychain.

[mike_hearn]

No, CLI apps also trigger access checks. Like I said, try it in your terminal using "ls". You'll find that trying to access a sandboxed container triggers a permission check.