Keychain Sharing among Developer Cert signed apps

Question

Created Sep ’23

Replies 2

Boosts 0

Participants 2

I am putting together a demo app that will pick up keychain items shared via Keychain Access Groups (or Shared Items Groups, as described here).

Sadly, I'm getting the infamous -34018 A required entitlement isn't present error when trying to load successfully saved items from main app A into my demo app B via SecItemCopyMatching.

From everything I can tell -- after looking at Quinn's excellent Troubleshooting -34018 Keychain Errors post -- after dumping out the entitlements plist, I see the main app A and my new demo app B both have different ApplicationIdentifierPrefix'es compared to the team identifier. ApplicationIdentifierPrefix and TeamIdentifierPrefix are supposed be the same thing.

I believe (from this ancient StackOverflow answer) it might be due to the fact I'm using my developer certificate (the one associated with my current team) along with Xcode's automatically managed signing may still be accidentally generating random application identifiers.

Is it possible to do keychain item sharing with apps that were built/installed with developer provisioning profiles?

Boost

Answer 1

dautermann OP

Sep ’23

Getting closer to working. I got cloud signing permissions enabled on my team account, plus I can now create certificate/profiles (which I couldn't do before).

The main app (first built years ago) uses an old application identifier prefix that's separate/different from the team identifier. But the "Register an App ID" screen in my developer account has a dropdown that shows all possible app prefixes, not just the team ID. Nice! So now old main app A and brand new demo app B both have matching prefixes and a keychain-access-group of something like RR3K76LW2Q.com.myke.shareditems.

Even after fully deleting the previous demo app from before and reinstalling a new app with a manual provisioning profile (the "iOS App Development" radio button was selected when registering the new profile)) , I'm still getting -34018 errors when trying to fetch the shared items.

0

Answer 2

DTS Engineer OP

Apple

Sep ’23

I see the main app A and my new demo app B both have different ApplicationIdentifierPrefix'es compared to the team identifier.

Yeah, that’s a bad place to be in )-:

Has the existing app shipped to users? Did that version use the data protection keychain?

This matters because my general advice in situations like this is to nix the unique App ID prefix. However, that presents some challenges if the existing app is using keychain access groups based on the old prefix. See App ID Prefix Change and Keychain Access.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0