Keychain access password prompt on app upgrade

We have an app which creates a custom keychain to store some data. We were using “3rd Party Mac Developer Application” certificate to sign our app.

The cert got expired in March, 2015. We generated a new cert from the same account and signed the updated version on the app. But, now the system prompts for keychain password whenever the updated app tries to read the keychain content created by the older version of the app, even though both the app versions are signed using the certs from the same account.


We are using the following command to sign the app from command line :


codesign --sign "3rd Party Mac Developer Application: ******” --force --keychain <keychain-name> --verbose <appname>

The designated requirement for the app is "identifier "<app bundle id>" and anchor apple generic and certificate leaf[subject.CN] = "3rd Party Mac Developer Application: ****** (*********)" and certificate 1[field.<some numbers>] / exists */


Please suggest some solution to avoid the UI-prompt asking the keychain password.

Up vote post of pradeepfromsymc Down vote post of pradeepfromsymc
1.3k views
Posted by
pradeepfromsymc
Reply
Add a Comment

Replies

The designated requirement for the app is …

Have you dumped the DR for both the new and the old app? Are they the same?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I did compare the dump of DR for both the old and new version of the app and they are the same.

One of the difference I found in the cert from both the app version is the Sealed Resources number of rules. Following values were obtained:


Updated App : Sealed Resources version=2 rules=13 files=55

Old App : Sealed Resources version=2 rules=12 files=55


Don't know if this is creating the issue, please check.

Posted by
pradeepfromsymc
Up vote reply of pradeepfromsymc Down vote reply of pradeepfromsymc
Add a Comment

please check.

It’s hard to check without seeing the actual rules. It seems like you’re reluctant to share the specific details of your app here on DevForums. If you’d like to conduct this investigation in private my recommendation is that you open a DTS tech support incident and speak one-on-one with DTS’s code signing expert.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you for your help, have raised a DTS support ticket, will follow up there.

Posted by
pradeepfromsymc
Up vote reply of pradeepfromsymc Down vote reply of pradeepfromsymc
Add a Comment