big sur keychain-access-groups crash

We recently added keychain-access-group to our macOS app but the app failed to open in big sur (macOS 11). It works fine in Monterey and Ventura. The crash log shows.

Exception Type: EXC_CRASH (Code Signature Invalid) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY

Termination Reason: Namespace CODESIGNING, Code 0x1

Here is our entitlement and provision profile

codesign -d --entitlements

<plist version="1.0">
<dict>
<key>com.apple.security.device.audio-input</key><true/><key>com.apple.security.device.camera</key><true/>
<key>keychain-access-groups</key>
<array>
    <string>Q76YUSCMX8.com.veevasystems.crmdesktop</string>
</array>
</dict>
</plist>

The provision profile shows

security cms -D -i

<key>ApplicationIdentifierPrefix</key>
	<array>
	    <string>Q76YUSCMX8</string>
	</array>
...
<key>Entitlements</key>
	<dict>
    <key>com.apple.application-identifier</key>
		    <string>Q76YUSCMX8.com.veevasystems.crmdesktop</string>
		<key>keychain-access-groups</key>
		    <array>
				    <string>Q76YUSCMX8.*</string>
		    </array>
		<key>com.apple.developer.team-identifier</key>
		    <string>Q76YUSCMX8</string>
	</dict>
...
<key>TeamIdentifier</key>
	<array>
		<string>Q76YUSCMX8</string>
	</array>

Based on my understanding the provisioning profile should allow share keychain that is prefixed with our team id. Is there anything wrong with our setup? This really puzzles us since everything looks correct. Why it does not work in big sur?

When we remove the keychain-access-groups from the entitlement file (keep the provisioning profile as is) then it is able to open but the feature does not work because we depended on the shared keychain.

Please advice. Thanks

Up vote post of ahuang105 Down vote post of ahuang105
677 views
Posted by
ahuang105
Reply
Add a Comment

Replies

but the app failed to open

I have a whole hierarchy of posts related to such issues, starting with Resolving Trusted Execution Problems. The nature of your problem, and the fact that the entitlement snippets you posted are formatted kinda weirdly, make me suspect you’re being hit by the issue discussed in the Normalise the Entitlements Property List section of Resolving Code Signing Crashes on Launch. Please follow the advice there and post back if you continue to have problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Thanks for the reply. We finally resolved the issue. The plutil does not find any formatting issue on the entitlement file. The issue is missing the com.apple.application-identifier and com.apple.developer.team-identifier in the entitlement file. Seems like it is required for macOS bigsur even though the documentation said it is not required. The app is able to open once we added the missing keys in the entitlement file.

    ahuang105
Add a Comment