Keychain Group

Question

Created 3w

Replies 5

Boosts 0

Participants 2

Dear Apple Developer Support Team, I would like to inquire whether there is a stable and official method to obtain the correct Team ID. When my app attempts to store data in the Keychain on a physical device, the retrieved Team ID is an unknown one and does not match the Team ID of my developer certificate. This issue consistently results in Keychain access failure with error code -34018. Could you please advise the root cause and provide a reliable solution to fix this Team ID mismatch and resolve the -34018 Keychain error?

NSDictionary *query = [NSDictionary dictionaryWithObjectsAndKeys:
                           kSecClassGenericPassword, kSecClass,
                           @"bundleSeedID", kSecAttrAccount,
                           @"", kSecAttrService,
                           (id)kCFBooleanTrue, kSecReturnAttributes,
                           nil];
    CFDictionaryRef result = nil;
    OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef *)&result);
    if (status == errSecItemNotFound)
        status = SecItemAdd((CFDictionaryRef)query, (CFTypeRef *)&result);
    if (status != errSecSuccess)
        return nil;
    NSString *accessGroup = [(__bridge NSDictionary *)result objectForKey:kSecAttrAccessGroup];
    NSArray *components = [accessGroup componentsSeparatedByString:@"."];
    NSString *bundleSeedID = [[components objectEnumerator] nextObject];
    CFRelease(result);
    return bundleSeedID;

Answered by DTS Engineer in 887721022

it cannot be debugged.

Why is that?

The same IPA file is installed on both this problematic device and the normally functioning devices.

How do you create that .ipa?

The usual process for doing that is to export an Ad Hoc signed version of your app. If that’s the case then you can export a Development signed version from the some Xcode archive. At that point you have an exact some copy of the code that you can run and debug with Xcode.

Just to be sure, you should check the keychain entitlements for each build. The .ipa is a zip archive under the covers, so you can change the extension to .zip and unpack it. Once you do that, dump the entitlements like so:

% codesign -d --entitlements - /path/to/my.app

Then use the same command to dump the entitlements of the Development signed version.

Finally, compare the three keychain entitlements discussed in Sharing access to keychain items among a collection of apps. I’d expect them to be the same in both cases and, if so, that means it’s valid to investigate this issue by debug your Development signed build.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Answer 1

DTS Engineer OP

Apple

2w

I suspect you’re confused by the various 10-character identifiers used by code signing. I recommend that you have a read of Code Signing Identifiers Explained, and specifically the entries on Team ID, User ID, Team Member ID, and App ID prefix.

the retrieved Team ID is an unknown one and does not match the Team ID of my developer certificate

There are two possibilities here:

Your app uses a unique App ID prefix, which by definition doesn’t match your Team ID.
You’re using your Team ID as the App ID prefix, but you’re misreading the Team ID in your code signing certificate.

It’s hard to tell which of this is correct without more context. What value do you get back in bundleSeedID? Does it match C____2____? If so, that’s your Team ID, which suggests you’ve hit the second case I’ve described above.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Answer 2

iceboy OP

2w

Thanks for your reply.I'm not sure which ID I'm getting, but this issue only happens on a few individual devices. Could I add an AppIdentifierPrefix entry to info.plist with the value set to $(AppIdentifierPrefix), then retrieve the currently used group by calling [[NSBundle mainBundle] objectForInfoDictionaryKey:@"AppIdentifierPrefix"];? Since the keychain group prefix is formatted as <TeamID>.<GroupName>, I'm having trouble getting the correct TeamID.

Answer 3

DTS Engineer OP

Apple

2w

Just to be clear, both U4ALRF5A38 and VELCFRZBHZ are Team IDs.

this issue only happens on a few individual devices.

I’d like to clarify that point. So your app works on most devices? And then fails on some specific ones?

Are the failing devices ones that you control? Or are you investigating this based on reports coming in from your users?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Answer 4

iceboy OP

2w

It’s a device from the testing department, and it cannot be debugged. Currently, I’m exporting the logs by writing them to a file.The error occurs regardless of whether the group is correct or not. The same IPA file is installed on both this problematic device and the normally functioning devices.

Answer 5

DTS Engineer OP

Apple

2w

Accepted Answer

it cannot be debugged.

Why is that?

The same IPA file is installed on both this problematic device and the normally functioning devices.

How do you create that .ipa?

The usual process for doing that is to export an Ad Hoc signed version of your app. If that’s the case then you can export a Development signed version from the some Xcode archive. At that point you have an exact some copy of the code that you can run and debug with Xcode.

Just to be sure, you should check the keychain entitlements for each build. The .ipa is a zip archive under the covers, so you can change the extension to .zip and unpack it. Once you do that, dump the entitlements like so:

% codesign -d --entitlements - /path/to/my.app

Then use the same command to dump the entitlements of the Development signed version.

Finally, compare the three keychain entitlements discussed in Sharing access to keychain items among a collection of apps. I’d expect them to be the same in both cases and, if so, that means it’s valid to investigate this issue by debug your Development signed build.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"