Always getting kSecTrustResultRecoverableTrustFailure, even after changing trust settings in Keychain Access

Question

When calling SecTrustEvaluateWithError() on my SecTrustRef object, the API always returns kSecTrustResultRecoverableTrustFailure. According to header file, this means:

Indicates a trust policy failure which can be overridden by the user. This value may be returned by the SecTrustEvaluate function but not stored as part of the user trust settings.

Being overridable, I changed the trust settings for the untrusted certificate using Keychain Access app like so:

Yet this seems to make no difference, the result is still kSecTrustResultRecoverableTrustFailure, so what am I doing wrong?

Answer 1

It turned out that the problem was caused by calling SecTrustSetAnchorCertificates(), which I used to add own CA certificates before calling SecTrustEvaluateWithError().

The meanwhile deprecated function SecTrustEvaluate() contains an important note in the documentation:

As an exception, if your app has previously called SecTrustSetAnchorCertificates, the user-specified trust settings are ignored, and the certificate’s chain must contain one of the specified anchor certificates.

Source: https://developer.apple.com/documentation/security/1394363-sectrustevaluate

While this note is missing in the SecTrustEvaluateWithError() documentation, it also applies to this function as well as to SecTrustEvaluateAsyncWithError(). If I make sure that SecTrustSetAnchorCertificates() is never called, then the user override works as expected (with that override, the cert is considered trusted by the system, without it isn't, which is expected behavior).