macOS SecAccessControlRef throws errors and crashes

Dear Developer,

I’m a little confused about passwordhandling with TouchID in macOS and need help.

According to Pages or Numbers, a password that is TouchID 'controlled‘ isn’t visible in the keychain.app. I think I’m right, that therefore I have to call ‚SecItemAdd‘ with a SecAccessControlRef. Am I?

So I implemented the following Code:

NSData *secret = [@"top secret" dataUsingEncoding: NSUTF8StringEncoding];
CFErrorRef *error = nil;
   SecAccessControlRef sacObject =
   SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                   kSecAttrAccessibleWhenUnlocked,
                                   kSecAccessControlBiometryAny,
                                   error);
   if(error)
   {
      CFStringRef errorstring = CFErrorCopyFailureReason( *error);
     
   }
  
  
   NSDictionary *query = @{
                           (id)kSecClass : (id)kSecClassGenericPassword,
                           (id)kSecAttrService : @"the.bundle.identifier",
                           (id)kSecAttrAccount : @"myAccount",
                           (id)kSecValueData : secret,
                           (id)kSecAttrAccessControl : (__bridge id) sacObject
                           };
   CFTypeRef* returnref = nil;
   OSStatus status = SecItemAdd((CFDictionaryRef)query, returnref);
   if (status != errSecSuccess)
   {
      CFStringRef errorstatus = SecCopyErrorMessageString( status, NULL);
      NSLog((__bridge NSString *)errorstatus);
     
   }

which throws an error in console.app

‚Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={NSDescription=Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements}'

So I added

<key>com.apple.application-identifier</key>

<string>TeamID.bundle.identifier</string>

<key>keychain-access-groups</key>

<array>

<string>TeamID.groupname</string>

</array>

That was already set:

<key>com.apple.security.application-groups</key>

<array>

<string>TeamID.groupname</string>

</array>

and the app crashes at start (in and outside the debugger)

with

Exception Type: EXC_CRASH (Code Signature Invalid)

Exception Codes: 0x0000000000000000, 0x0000000000000000

Exception Note: EXC_CORPSE_NOTIFY

Termination Reason: Namespace CODESIGNING, Code 0x1

It doesn’t crash when I remove ‚keychain-access-groups‘, but then again I got error 34018.

Do I need a provisioning profile to manage keychain-access-groups (we don’t need it for anything else in our apps)?

And last but important: What about Apps outside the sandbox? We’ve got entitlements to enable hardened-Runtime for Notarization. Can I add the same entitlements as in sandboxed apps?

macOS: 10.14.2, Xcode 10.1

Adding Passwords to keychain without SecAccessControlRef works perfect.

Thank you for your help!

Brigitte