Keychain & signing

Where DockDuck keeps your credentials (the macOS Keychain, never plain text), how the app is code-signed and notarized, and how host-key and certificate trust protect your remote connections.

Updated June 21, 2026 · Suggest an edit

DockDuck leans on the security primitives macOS already provides — the Keychain for secrets, Gatekeeper for app integrity, and OpenSSH-style trust pinning for remote connections — rather than rolling its own. Here’s what lives where.

Credentials live in the Keychain

Anything secret is stored in the macOS Keychain, encrypted by the system and protected by your app’s code signature — never in a plain-text file that another process running as you could read or rewrite.

WhatWhere
Remote server passwords (SFTP / FTP / SMB / WebDAV)Keychain
SSH host-key trust (your known_hosts)Keychain
TLS certificate trust (WebDAV / FTPS)Keychain
Account session tokensKeychain (readable only while your Mac is unlocked)
Note

A few non-secret, re-syncable values — like the cached trial and license state — live in regular preferences rather than the Keychain. They’re server-authoritative and already shown in the app’s UI, so they aren’t secrets; keeping them out of the Keychain also avoids the repeated “allow access” prompts macOS shows when an app’s signature changes between updates.

Code signing & notarization

DockDuck is distributed as a signed, notarized app:

  • Signed with a Developer ID certificate (Apple Team ID T76KXH83DW), so macOS can verify the app came from us and hasn’t been tampered with.
  • Notarized by Apple, which scans each build and lets Gatekeeper launch it without warnings.

When you first open DockDuck, Gatekeeper checks the signature and notarization ticket. If you ever see a tampering warning, don’t bypass it — re-download the app from dockduck.app.

Host-key trust (SFTP / SSH)

The first time you connect to an SSH server, DockDuck shows you the server’s host-key fingerprint to verify — exactly like OpenSSH or FileZilla. Once you trust it, the fingerprint is remembered (in the Keychain) so you aren’t asked again.

Warning

If a server’s host key changes on a later connection, DockDuck rejects it and asks you to re-verify. A changed key can mean a legitimate server rebuild — or a machine-in-the-middle attack. Confirm the new fingerprint through a trusted channel before accepting it.

Because the trusted-fingerprint set is the actual defense against interception, it lives in the Keychain rather than a user-writable preferences file — so no other process can silently plant a forged “trusted” key.

Certificate trust (WebDAV / FTPS)

TLS connections (WebDAV over HTTPS, FTPS) validate the server certificate the same way. A self-signed or otherwise untrusted certificate prompts you to inspect and trust it explicitly; your decision is pinned in the Keychain for next time.

Plain FTP is not encrypted

DockDuck supports plain FTP for legacy servers, but it sends credentials and data unencrypted, with no certificate to verify. Prefer SFTP or FTPS whenever the server supports it — DockDuck flags plain-FTP connections accordingly.

Where to go next

Was this helpful? Suggest an edit