Mac app via TestFlight requires user to enter password for keychain

Privacy & Security General
raymo OP
Created Dec ’21
Replies 8
Boosts 0
Views 1.8k
Participants 3

Hi,

I have an existing Mac app and when I build and install via the new Mac TestFlight, the user is prompted to enter in their system password in order for the app to have access to it's own keychain items.

If I export the very same archive using a Developer ID or using the Developer option, it doesn't require the user to re-enter their password.

Is it possible that there's something wrong with the way TestFlight signs the app or am I doing something wrong? I've looked at the DR for each of the builds and they are all different in some way so not sure what that tells me.

For example, the DRs for each are: /existing Mac App Store

designated => (anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = ZL5FFY3M32) and identifier "X.X.X"

/TestFlight build

designated => anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.25.1] /* exists */ and identifier "X.X.X"

/Developer ID

designated => anchor apple generic and identifier "X.X.X" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists / or certificate 1[field.1.2.840.113635.100.6.2.6] / exists / and certificate leaf[field.1.2.840.113635.100.6.1.13] / exists */ and certificate leaf[subject.OU] = ZL5FFY3M32)

X.X.X is the correct and same bundle ID of my app. Clearly the TestFlight DR is "more" different but not sure what is the problem and how I would fix it.

Any help would be greatly appreciated and Merry Christmas! //Ray

Answered by DTS Engineer in 731034022

For anyone hitting this issue, Eskimo discovered that this is a bug with TestFlight for Mac.

FYI, we believe we’ve fixed this in macOS 13.0 beta (r. 88185629). However, I still stand by my advice on this thread: If you can use the data protection keychain, you should. It’s the future of the keychain on our platforms.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  8
Boosts  0
Views  1.8k
Participants  3
DTS Engineer OP
Apple
Dec ’21

Have you historically had this problem between your Developer ID app and your Mac App Store app? Or is this new in TestFlight?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
Jan ’22

I do have a support request in as well

Indeed. That just landed in my queue and I’ll respond there once I get back into the office on Thursday.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
raymo OP
Jan ’22

Thanks Eskimo! For anyone hitting this issue, Eskimo discovered that this is a bug with TestFlight for Mac. I've filed a bug report on this (FB9836675). He also suggested to use iOS style keychains to work around the issue.

0
bjhomer OP
Jan ’22

I've been running into this too; it's quite annoying. Can you clarify what using "iOS style keychains" as a workaround means?

0
DTS Engineer OP
Apple
Jan ’22

raymo is referring to the data protection keychain. For more background on this — the Mac has three keychain APIs and two keychain back ends! — see On Mac Keychains.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
bjhomer OP
Feb ’22

Thanks, Quinn. That's very helpful I assume that if I have an item in the file-based keychain, then I won't find it if I query with kSecUseDataProtectionKeychain = true. So to migrate from the file-based keychain to the data protection keychain, I would need to do the following:

  • First check if it's in the data protection keychain
  • If not, check if it's in the file-based keychain
    • If found there, save a copy to the data protection keychain
    • Optionally, delete it from the file-based keychain

Does that sound correct?

0
DTS Engineer OP
Apple
Feb ’22

I assume that if I have an item in the file-based keychain, then I won't find it if I query with kSecUseDataProtectionKeychain = true.

Correct.

Does that sound correct?

There are a tonne of ways you could do this but the approach you’ve outlined sounds reasonable enough.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
Oct ’22
Accepted Answer

For anyone hitting this issue, Eskimo discovered that this is a bug with TestFlight for Mac.

FYI, we believe we’ve fixed this in macOS 13.0 beta (r. 88185629). However, I still stand by my advice on this thread: If you can use the data protection keychain, you should. It’s the future of the keychain on our platforms.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Mac app via TestFlight requires user to enter password for keychain
First post date Last post date
 
 
Q