Global Variable


A required entitlement is missing.


var errSecMissingEntitlement: OSStatus { get }


The SecItemAdd(_:_:) method returns this error when you specify an access group to which your app doesn’t belong:

let attributes = [kSecClass: kSecClassGenericPassword,
                  kSecAttrService: service,
                  kSecAttrAccount: username,
                  kSecAttrAccessGroup: "group",             // FIXME
                  kSecValueData: password] as [String: Any]
let addStatus = SecItemAdd(attributes as CFDictionary, nil)

To avoid the error, either use your app’s default access group by omitting the kSecAttrAccessGroup key in the add attributes, or make sure that the value associated with the key matches one of your app’s access groups. These access groups come from your app’s Keychain Access Groups Entitlement, its app identifier, and its App Groups Entitlement, in that order, as described in Sharing Access to Keychain Items Among a Collection of Apps.

You can check the access group string by setting a breakpoint on the SecItemAdd(_:_:) call and using the debugger to print the query dictionary. Look for the agrp item:

(lldb) p attributes
([String : Any]) $R0 = 5 key/value pairs {
  [3] = {
    key = "agrp"
    value = ""

If after setting the access group key correctly you still receive the errSecMissingEntitlement error, check to make sure the entitlements in your built app match your expectations. Build your app for a hardware target—not the Simulator app—and use Xcode to locate the app bundle on disk:

Screenshot of Xcode showing how to find the full path to a built app bundle.

Then get a list of the app’s entitlements. Run the codesign command-line utility shown in the following example, substituting the Xcode-provided path to your app, like the one highlighted in the preceding illustration.

$ codesign -d --entitlements :- [path]

<plist version="1.0">

Inspect the codesign output to determine the groups to which your app actually belongs. The following collectively define your app’s access groups:

  • Any of the strings in the array associated with the keychain-access-groups key.

  • The string corresponding to the application-identifier key (or the key in macOS).

  • Any of the strings in the array associated with the key.

See Also

Other Result Codes

var errSecAddinLoadFailed: OSStatus

The add-in load operation failed.

var errSecAddinUnloadFailed: OSStatus

The add-in unload operation failed.

var errSecAlgorithmMismatch: OSStatus

An algorithm mismatch occurred.

var errSecAlreadyLoggedIn: OSStatus

The user is already logged in.

var errSecAppleInvalidKeyEndDate: OSStatus

The specified key has an invalid end date.

var errSecAppleInvalidKeyStartDate: OSStatus

The specified key has an invalid start date.

var errSecAppleSSLv2Rollback: OSStatus

A SSLv2 rollback error has occurred.

var errSecAppleSignatureMismatch: OSStatus

A signature mismatch has occurred.

var errSecAttachHandleBusy: OSStatus

The CSP handle was busy.

var errSecAttributeNotInContext: OSStatus

An attribute was not in the context.

var errSecBlockSizeMismatch: OSStatus

A block size mismatch occurred.

var errSecConversionError: OSStatus

A conversion error has occurred.

var errSecDatabaseLocked: OSStatus

The database is locked.

var errSecDecode: OSStatus

Unable to decode the provided data.

var errSecDeviceError: OSStatus

A device error was encountered.

var errSecDeviceFailed: OSStatus

A device failure has occurred.

var errSecDeviceReset: OSStatus

A device reset has occurred.

var errSecDeviceVerifyFailed: OSStatus

A device verification failure has occurred.

var errSecEMMLoadFailed: OSStatus

The elective module manager load failed.

var errSecEMMUnloadFailed: OSStatus

The elective module manager unload has failed.

var errSecEventNotificationCallbackNotFound: OSStatus

An event notification callback was not found.

var errSecExtendedKeyUsageNotCritical: OSStatus

The extended key usage extension was not marked critical.

var errSecFieldSpecifiedMultiple: OSStatus

Too many fields were specified.

var errSecFileTooBig: OSStatus

The file is too big.

var errSecFunctionIntegrityFail: OSStatus

A function address is not within the verified module.

var errSecHostNameMismatch: OSStatus

A host name mismatch has occurred.

var errSecIncompatibleDatabaseBlob: OSStatus

The specified database has an incompatible blob.

var errSecIncompatibleFieldFormat: OSStatus

The field format is incompatible.

var errSecIncompatibleKeyBlob: OSStatus

The specified database has an incompatible key blob.

var errSecIncompatibleVersion: OSStatus

The version is incompatible.

var errSecInputLengthError: OSStatus

An input length error occurred.

var errSecInsufficientClientID: OSStatus

The client ID is incorrect.

var errSecInsufficientCredentials: OSStatus

Insufficient credentials were detected.

var errSecInvalidAccessCredentials: OSStatus

Invalid access credentials were detected.

var errSecInvalidAccessRequest: OSStatus

The access request is invalid.

var errSecInvalidAction: OSStatus

The action is invalid.

var errSecInvalidAddinFunctionTable: OSStatus

An invalid add-in function table was detected.

var errSecInvalidAlgorithm: OSStatus

An invalid algorithm was detected.

var errSecInvalidAuthority: OSStatus

The authority is not valid.

var errSecInvalidAuthorityKeyID: OSStatus

The authority key ID is not valid.

var errSecInvalidBundleInfo: OSStatus

The bundle information is not valid.

var errSecInvalidContext: OSStatus

An invalid context was detected.

var errSecInvalidDBList: OSStatus

An invalid DB list was detected.

var errSecInvalidDBLocation: OSStatus

The database location is not valid.

var errSecInvalidData: OSStatus

Invalid data was detected.

var errSecInvalidDatabaseBlob: OSStatus

The specified database has an invalid blob.

var errSecInvalidDigestAlgorithm: OSStatus

An invalid digest algorithm was detected.

var errSecInvalidEncoding: OSStatus

The encoding is not valid.

var errSecInvalidExtendedKeyUsage: OSStatus

The extended key usage is not valid.

var errSecInvalidFormType: OSStatus

The form type is not valid.

var errSecInvalidGUID: OSStatus

An invalid GUID was detected.

var errSecInvalidHandle: OSStatus

An invalid handle was encountered.

var errSecInvalidHandleUsage: OSStatus

The common security services manager handle does not match with the service type.

var errSecInvalidID: OSStatus

The ID is not valid.

var errSecInvalidIDLinkage: OSStatus

The ID linkage is not valid.

var errSecInvalidIdentifier: OSStatus

The identifier is not valid.

var errSecInvalidIndex: OSStatus

The index is not valid.

var errSecInvalidIndexInfo: OSStatus

The index information is not valid.

var errSecInvalidInputVector: OSStatus

The input vector is not valid.

var errSecInvalidLoginName: OSStatus

An invalid login name was detected.

var errSecInvalidModifyMode: OSStatus

The modify mode is not valid.

var errSecInvalidName: OSStatus

An invalid name was detected.

var errSecInvalidNetworkAddress: OSStatus

An invalid network address was detected.

var errSecInvalidNewOwner: OSStatus

The new owner is not valid.

var errSecInvalidNumberOfFields: OSStatus

An invalid number of fields were detected.

var errSecInvalidOutputVector: OSStatus

The output vector is not valid.

var errSecInvalidOwnerEdit: OSStatus

An invalid attempt to change the owner of an item.

var errSecInvalidPVC: OSStatus

An invalid pointer validation checking policy was detected.

var errSecInvalidParsingModule: OSStatus

The parsing module is not valid.

var errSecInvalidPassthroughID: OSStatus

An invalid passthrough ID was detected.

var errSecInvalidPasswordRef: OSStatus

The password reference is invalid.

var errSecInvalidPointer: OSStatus

An invalid pointer was detected.

var errSecInvalidPolicyIdentifiers: OSStatus

The policy identifiers are not valid.

var errSecInvalidQuery: OSStatus

The specified query is not valid.

var errSecInvalidReason: OSStatus

The trust policy reason is not valid.

var errSecInvalidRecord: OSStatus

An invalid record was detected.

var errSecInvalidRequestInputs: OSStatus

The request inputs are not valid.

var errSecInvalidRequestor: OSStatus

The requestor is not valid.

var errSecInvalidResponseVector: OSStatus

The response vector is not valid.

var errSecInvalidRoot: OSStatus

The root or anchor certificate is not valid.

var errSecInvalidSampleValue: OSStatus

An invalid sample value was detected.

var errSecInvalidScope: OSStatus

An invalid scope was detected.

var errSecInvalidServiceMask: OSStatus

An invalid service mask was detected.

var errSecInvalidSignature: OSStatus

An invalid signature was detected.

var errSecInvalidStopOnPolicy: OSStatus

The stop-on policy is not valid.

var errSecInvalidSubServiceID: OSStatus

An invalid sub-service ID was detected.

var errSecInvalidSubjectKeyID: OSStatus

The subject key ID is not valid.

var errSecInvalidTimeString: OSStatus

The time specified is not valid.

var errSecInvalidTrustSetting: OSStatus

The trust setting is invalid.

var errSecInvalidTrustSettings: OSStatus

The trust settings record is corrupted.

var errSecInvalidTuple: OSStatus

The tuple is not valid.

var errSecInvalidTupleCredendtials: OSStatus

The tuple credentials are not valid.

var errSecInvalidTupleGroup: OSStatus

The tuple group is not valid.

var errSecInvalidValidityPeriod: OSStatus

The validity period is not valid.

var errSecInvalidValue: OSStatus

An invalid value was detected.

var errSecLibraryReferenceNotFound: OSStatus

A library reference was not found.

var errSecMDSError: OSStatus

A module directory service error occurred.

var errSecMemoryError: OSStatus

A memory error occurred.

var errSecMissingRequiredExtension: OSStatus

A required certificate extension is missing.

var errSecMissingValue: OSStatus

A missing value was detected.

var errSecModuleManifestVerifyFailed: OSStatus

A module manifest verification failure occurred.

var errSecModuleNotLoaded: OSStatus

A module was not loaded.

var errSecMultiplePrivKeys: OSStatus

An attempt was made to import multiple private keys.

var errSecMultipleValuesUnsupported: OSStatus

Multiple values are not supported.

var errSecNoAccessForItem: OSStatus

The specified item has no access control.

var errSecNoBasicConstraints: OSStatus

No basic constraints were found.

var errSecNoBasicConstraintsCA: OSStatus

No basic CA constraints were found.

var errSecNoDefaultAuthority: OSStatus

No default authority was detected.

var errSecNoFieldValues: OSStatus

No field values were detected.

var errSecNoTrustSettings: OSStatus

No trust settings were found.

var errSecNotInitialized: OSStatus

A function was called without initializing the common security services manager.

var errSecNotLoggedIn: OSStatus

You are not logged in.

var errSecNotSigner: OSStatus

The certificate is not signed by its proposed parent.

var errSecNotTrusted: OSStatus

The trust policy is not trusted.

var errSecOutputLengthError: OSStatus

An output length error was detected.

var errSecPVCAlreadyConfigured: OSStatus

The PVC is already configured.

var errSecPVCReferentNotFound: OSStatus

A reference to the calling module was not found in the list of authorized callers.

var errSecPassphraseRequired: OSStatus

A password is required for import or export.

var errSecPathLengthConstraintExceeded: OSStatus

The path length constraint was exceeded.

var errSecPkcs12VerifyFailure: OSStatus

MAC verification failed during PKCS12 Import.

var errSecPolicyNotFound: OSStatus

The specified policy cannot be found.

var errSecPrivilegeNotGranted: OSStatus

The privilege is not granted.

var errSecPrivilegeNotSupported: OSStatus

The privilege is not supported.

var errSecPublicKeyInconsistent: OSStatus

The public key is inconsistent.

var errSecQuerySizeUnknown: OSStatus

The query size is unknown.

var errSecQuotaExceeded: OSStatus

The quota was exceeded.

var errSecRejectedForm: OSStatus

The trust policy has a rejected form.

var errSecRequestDescriptor: OSStatus

The request descriptor is not valid.

var errSecRequestRejected: OSStatus

The request is rejected.

var errSecServiceNotAvailable: OSStatus

The required service is not available.

var errSecStagedOperationInProgress: OSStatus

A staged operation is in progress.

var errSecStagedOperationNotStarted: OSStatus

A staged operation was not started.

var errSecTagNotFound: OSStatus

The specified tag is not found.

var errSecTrustNotAvailable: OSStatus

No trust results are available.

var errSecUnknownFormat: OSStatus

The item you are trying to import has an unknown format.

var errSecUnknownTag: OSStatus

An unknown tag was detected.

var errSecUnsupportedAddressType: OSStatus

The address type is not supported.

var errSecUnsupportedFieldFormat: OSStatus

The field format is not supported.

var errSecUnsupportedFormat: OSStatus

The specified import or export format is not supported.

var errSecUnsupportedIndexInfo: OSStatus

The index information is not supported.

var errSecUnsupportedLocality: OSStatus

The locality is not supported.

var errSecUnsupportedNumAttributes: OSStatus

The number of attributes is not supported.

var errSecUnsupportedNumIndexes: OSStatus

The number of indexes is not supported.

var errSecUnsupportedNumRecordTypes: OSStatus

The number of record types is not supported.

var errSecUnsupportedNumSelectionPreds: OSStatus

The number of selection predicates is not supported.

var errSecUnsupportedOperator: OSStatus

The operator is not supported.

var errSecUnsupportedQueryLimits: OSStatus

The query limits are not supported.

var errSecUnsupportedService: OSStatus

The service is not supported.

var errSecUnsupportedVectorOfBuffers: OSStatus

The vector of buffers is not supported.

var errSecVerificationFailure: OSStatus

A verification failure occurred.

var errSecVerifyFailed: OSStatus

A cryptographic verification failure occurred.