KeyChain Sharing with App Extensions

Question

Created 1d

Replies 3

Boosts 0

Participants 2

Hi, We are trying to use Apple Security API for KeyChain Services.

Using the common App Group : Specifying the common app group in the "kSecAttrAccessGroup" field of the KeyChain query, allowed us to have a shared keychains for different apps (targets) in the app group, but this did not work for extensions. Enabling the KeyChain Sharing capability : We enabled the KeyChain Sharing Ability in the extensions and the app target as well, giving a common KeyChain Access group. Specifying this in the kSecAttrAccessGroup field also did not work. This was done in XCode as we were unable to locate it in the Developer portal in Indentifiers.

We tried specifying "$AppIdentifier.KeyChainSharingGroup" in the kSecAttrAccessGroup field , but this did not work as well The error code which we get in all these 3 cases when trying to access the Keychain from the extension is error code 25291 (errSecNotAvailable). The Documentation says this error comes when "No Trust Results are available" and printing the error in xcode using the status says "No keychain is available.

The online Documentation says that it is possible to share keychain with extensions, but by far we are unable to do it with the methods suggested.

Do we need any special entitlement for this or is there something we are missing while using these APIs?

We really appreciate any and all help in solving this issue!

Thank you

Boost

Answer 1

DTS Engineer OP

Apple

22h

What platform are you on?

And what type of app extensions are you building?

This matters because:

You tagged your thread with Network Extension, which suggests you’re building an NE provider.
On macOS, the keychain is weird. See TN3137 On Mac keychain APIs and implementations.
And NE providers can be packaged as either an appex or a sysex. See TN3134 Network Extension provider deployment.
And that affects how you should interact with the keychain. See Network Extension Provider Packaging.

So, if you’re on iOS or one of its child platforms, we can focus on the appex side of this. OTOH, if you’re on macOS, things get more complex |-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Infibrite OP

16h

Hi Apple team,

Thanks for the follow up. Here are the details you requested:

Platform: iOS (running on iPhone hardware; built with Xcode 15, iOS 17 SDK).
Extension type: Network Extension provider packaged as an app extension (appex) within the main app target.
Keychain configuration:
- The main app and the extension both have the Keychain Sharing capability enabled with the same access group (for example, ABCD1234.com.example.shared).
- We also tried the common app group and specifying the access group via kSecAttrAccessGroup, including variations such as $AppIdentifier.KeyChainSharingGroup.
Error observed: When the extension attempts to access the shared keychain, SecItemCopyMatching returns status 25291 (errSecNotAvailable), which Xcode reports as "No keychain is available." The same code and access group work from the containing app.

Could you advise whether additional entitlements are needed for Network Extension providers on iOS, or if there are specific packaging or provisioning steps we should double-check for appex-based NE providers? If there are recommended examples for keychain access from NE appexes, we would appreciate a pointer.

Thanks for your help!

0

Answer 3

Infibrite OP

6h

Hi,

Thanks for following up.

Platform: iOS (tested on iOS 17.x and iOS 18 betas).

Extension type: Apple MatterSupport “Matter Add Device Extension” (Accessory Setup extension). We’re not building a Network Extension provider—our earlier “Network Extension” tag was a mistake.

Our setup is a standard iOS app (com.infibrite…) plus the Matter setup extension (com.infibrite…MatterSetupExtension). Both targets need to share Matter fabric credentials via a single keychain access group (com.infibrite.matter.shared) so the extension can commission devices while the main app reuses the stored fabric.

App Groups and other capabilities enable correctly, but the “Keychain Sharing” toggle never appears for either App ID in the portal. Because the provisioning profiles can’t include that entitlement, the OS returns errSecMissingEntitlement whenever we reference kSecAttrAccessGroup, so the extension can’t read the credentials.

Could you enable Keychain Sharing for these iOS App IDs (main app + Matter setup extension) or let us know how to make the capability visible? Happy to provide the exact bundle identifiers if needed.

Thanks again for the assistance! Best regards,

0