Problems with keychain sharing on Mac

Since the older ACL APIs are deprecated, I'm switching to using keychain sharing.

I've seen this post: https://developer.apple.com/forums/thread/123824

My app has an embedded login item helper app as well as a commandline program. I need the main app and commandline program to share keychain items.

My app is not sandboxed/MAS; it is Developer ID.

I first tried setting up an app group. I created an app group on the dev portal, tied to the app IDs, and tied those to provisioning profiles.

When the main app stores a keychain password (via SecItemAdd), it fails citing lack of entitlements. Note that I fetch the app group dynamically from the bundle's entitlements and setting the kSecUseDataProtectionKeychain flag in the query.

If I switch to keychain groups, it works. Problem is that the commandline program crashes on launch. If I provide a separate entitlement file for the commandline program omitting the keychain group entry, it launches but fails to find the keychain item.

Is there a way to get this all working? I'm seriously tempted to go back to the ACL code and suppress the deprecation warnings.

Problems with keychain sharing on Mac
 
 
Q