Documentation
Keychain & signing
Where DockDuck keeps your credentials (the macOS Keychain, never plain text), how the app is code-signed and notarized, and how host-key and certificate trust protect your remote connections.
DockDuck leans on the security primitives macOS already provides — the Keychain for secrets, Gatekeeper for app integrity, and OpenSSH-style trust pinning for remote connections — rather than rolling its own. Here’s what lives where.
Credentials live in the Keychain
Anything secret is stored in the macOS Keychain, encrypted by the system and protected by your app’s code signature — never in a plain-text file that another process running as you could read or rewrite.
| What | Where |
|---|---|
| Remote server passwords (SFTP / FTP / SMB / WebDAV) | Keychain |
SSH host-key trust (your known_hosts) | Keychain |
| TLS certificate trust (WebDAV / FTPS) | Keychain |
| Account session tokens | Keychain (readable only while your Mac is unlocked) |
A few non-secret, re-syncable values — like the cached trial and license state — live in regular preferences rather than the Keychain. They’re server-authoritative and already shown in the app’s UI, so they aren’t secrets; keeping them out of the Keychain also avoids the repeated “allow access” prompts macOS shows when an app’s signature changes between updates.
Code signing & notarization
DockDuck is distributed as a signed, notarized app:
- Signed with a Developer ID certificate (Apple Team ID
T76KXH83DW), so macOS can verify the app came from us and hasn’t been tampered with. - Notarized by Apple, which scans each build and lets Gatekeeper launch it without warnings.
When you first open DockDuck, Gatekeeper checks the signature and notarization ticket. If you ever see a tampering warning, don’t bypass it — re-download the app from dockduck.app.
Host-key trust (SFTP / SSH)
The first time you connect to an SSH server, DockDuck shows you the server’s host-key fingerprint to verify — exactly like OpenSSH or FileZilla. Once you trust it, the fingerprint is remembered (in the Keychain) so you aren’t asked again.
public/docs/img/keychain-signing-1.pngIf a server’s host key changes on a later connection, DockDuck rejects it and asks you to re-verify. A changed key can mean a legitimate server rebuild — or a machine-in-the-middle attack. Confirm the new fingerprint through a trusted channel before accepting it.
Because the trusted-fingerprint set is the actual defense against interception, it lives in the Keychain rather than a user-writable preferences file — so no other process can silently plant a forged “trusted” key.
Certificate trust (WebDAV / FTPS)
TLS connections (WebDAV over HTTPS, FTPS) validate the server certificate the same way. A self-signed or otherwise untrusted certificate prompts you to inspect and trust it explicitly; your decision is pinned in the Keychain for next time.
Plain FTP is not encrypted
DockDuck supports plain FTP for legacy servers, but it sends credentials and data unencrypted, with no certificate to verify. Prefer SFTP or FTPS whenever the server supports it — DockDuck flags plain-FTP connections accordingly.
Where to go next
- Privacy & data — what DockDuck collects (almost nothing) and why.
- Remote servers — connecting to SFTP, SMB, WebDAV, and FTP.
- Settings — the Servers and Account panes.