"Failed to retrieve app-scope key" in sandboxed app

Privacy & Security General
m.gansrigler OP
Created May ’16
Replies 10
Boosts 0
Views 3.2k
Participants 4

Hi all.


A customer of my app Yoink has an issue with it. When he tries to drag a file to it, the console reports this:

"Error Domain=NSCocoaErrorDomain Code=256 "Failed to retrieve app-scope key" UserInfo={NSDebugDescription=Failed to retrieve app-scope key}"


The app, as soon as it retrieves an NSURL via drag and drop, creates a security-scoped bookmark from it (the entitlements are set correctly, of course, because for me and everyone else who uses this app, except this one person, it works fine).


So, now my question is, what causes "Failed to retrieve app-scope key"?


The app creates the bookmark like this:

NSURLBookmarkCreationOptions options = NSURLBookmarkCreationWithSecurityScope;

  NSData *bmData = [fileURL bookmarkDataWithOptions:options
    includingResourceValuesForKeys:nil
  relativeToURL:nil
  error:&err];

  if (bmData == nil)
     bmData = [fileURL bookmarkDataWithOptions:options|NSURLBookmarkCreationSecurityScopeAllowOnlyReadAccess
                includingResourceValuesForKeys:nil
                relativeToURL:nil
                error:&err];

(I repeat the bookmark creation if it failed the first time, because for files that the user only has read-access to, the first creation will fail.


Thank you for your help and input,

- Matt

Answered by DTS Engineer in 153900022

I can see two potential causes for this:

  1. something is borked with code signing on the user’s machine — The scoped bookmark machinery needs to be able to get the code signature of your app in order to do its magic, and if that failed you’d get an error like this.

  2. something is borked with the user’s keychain — The scoped bookmark machinery stores a secret in the keychain (you can see it in Keychain Utility by searching for “com.apple.scopedbookmarksagent.xpc”) and you’d get this error if that was failing somehow.

Of these, #2 seems most likely. It’s also easy to test. Have the user create a new account and repeat their test in that account. The new account will have a new keychain, and thus avoid any potential borkage with the user’s current keychain.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Replies  10
Boosts  0
Views  3.2k
Participants  4
m.gansrigler OP
Jun ’16

Sorry for the bump, but does anyone have any insight into this?


Thank you kindly!

- Matt

0
m.gansrigler OP
Jul ’16

One last bump in the hope that maybe someone has an answer to this? You'd be helping me out a lot - thank you!

0
DTS Engineer OP
Apple
Jul ’16
Accepted Answer

I can see two potential causes for this:

  1. something is borked with code signing on the user’s machine — The scoped bookmark machinery needs to be able to get the code signature of your app in order to do its magic, and if that failed you’d get an error like this.

  2. something is borked with the user’s keychain — The scoped bookmark machinery stores a secret in the keychain (you can see it in Keychain Utility by searching for “com.apple.scopedbookmarksagent.xpc”) and you’d get this error if that was failing somehow.

Of these, #2 seems most likely. It’s also easy to test. Have the user create a new account and repeat their test in that account. The new account will have a new keychain, and thus avoid any potential borkage with the user’s current keychain.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
m.gansrigler OP
Mar ’17

Hey, eskimo!


Sorry for reviving this thread, but I was wondering - is there a way for the user to repair their keychain or the code signing machinery, without having to create a new user account?


Thank you kindly,

Matt

0
DTS Engineer OP
Apple
Mar ’17

Well, creating a new user account is just a diagnostic test; I wouldn’t expect that to be the final solution to this problem.

Is this happening to you? Or to one of your app’s users?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
m.gansrigler OP
Mar ’17

Thank you for getting back to me.


I've had about 3 users with this particular error so far. One was content with creating a new user, the other two aren't savvy enough to do it, and I wouldn't want anyone to create a new user account just because of my app, anyway.

So a repair for the keychain or something like that would be wonderful.

0
DTS Engineer OP
Apple
Mar ’17

I’m reluctant to offer advice on this front. The folks who are experts at resolving user issues like this one are AppleCare.

If this were my Mac I’d reset the keychain by:

  1. In Keychain Access, creating a temporary keychain

  2. Setting it as the default

  3. Removing the old keychain from the search list

  4. In the Finder, moving that file aside

  5. Back in Keychain Access, creating another new keychain, this time called 

    login

  6. Making it the default

  7. Removing the temporary keychain

The problem with recommending this to non-technical users is that a) it’s not easy to do, and b) it might interact badly with various user scenarios, most notably iCloud Keychain.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
JWWalker OP
Jul ’19

I was getting this error when trying to give sandbox access to BBEdit, and when I searched for “com.apple.scopedbookmarksagent.xpc” in Keychain Access, I found such an item in two different keychains. I deleted both items and rebooted. Now the problem seems to be fixed, so thanks very much for the information, Quinn.

2
m.gansrigler OP
Oct ’24

Because my other thread ( https://forums.developer.apple.com/forums/thread/765433 ) is not getting any response to this pressing matter, please forgive me reviving this older thread.

Has there been a change to security-scoped fileURL bookmarks in macOS Sequoia (like a new entitlement, for example)?
I've been getting multiple reports of my app just not being able to create security-scoped bookmarks for file URLs, although my code for this has not changed.

There are two cases: for some customers, it doesn't work at all, for others, it works (to quote one) "like 40% of the time". There's no discernible pattern to it working or failing (like, internal/external disks, file types, etc).

Naturally, I cannot reproduce this issue myself, but I do know that it's not just the Mac App Store version, it also happens for my demo and Setapp versions of the app (which also run in the app sandbox).

When the bookmark creation fails, it is accompanied by this line in the logs:

Failed to retrieve app-scope key

A restart fixes the issue temporarily (most but not all of the time), sometimes even just a relaunch of my app. But that's just an annoying temporary fix, and the issue reoccurs after a while.
It definitely seems to be tied to macOS Sequoia - I've not received reports of it not working on older versions of macOS.

Thank you for any and all insights,
– Matthias

0
m.gansrigler OP
Oct ’24

Will be fixed with macOS 15.1, according to this thread: https://forums.developer.apple.com/forums/thread/764435?answerId=806097022#806097022

1
"Failed to retrieve app-scope key" in sandboxed app
First post date Last post date
 
 
Q