Hi there! I have a macOS 10.15 non-sanboxed, hardened-runtime app without the Keychain Sharing entitlement enabled.

I have a very simple valet setup

let valet = Valet.valet(with: Identifier(nonEmpty: Bundle.main.bundleIdentifier!)!, accessibility: .whenUnlocked)

I have recently upgraded to Valet 3.2.8. Please note this issue below did not occur before the kSecUseDataProtectionKeychain = true update.

On 10.14 and before, writing to this keychain puts a "application password" in the "login" keychain.

In Catalina, however, writing to this keychain results in a "Missing Entitlement" error. I know this isn't a Valet-specific issue. I go ahead and add the Keychain Sharing entitlement as I read somewhere that that could fix the issue - lo and behold I'm able to write to the keychain!

However, It's not writing to the "login" keychain but instead the "iCloud" keychain and seems to be using the default Keychain Access Group identifier ($teamID).($appIdentifier) as the access group instead of granting the app access directly. This is all a bit weird, and also migrateObjectsFromPreCatalina() does not perform an in-place adjustment but instead creates a duplicate keychain item because it now is an "iCloud" item and not a "login" item.

Any insight here is much appreciated!