Our app creates ECDSA signatures by calling SecKeyCreateSignature() using a private key that is protected by the secure enclave. On iOS 17 beta our backend rejects some of those signatures as invalid while on previous iOS versions everything is fine. Did anything change in the security framework in iOS 17 that I missed in the release notes or the API diffs?
SecKeyCreateSignature creates invalid ECDSA signatures on iOS 17 beta
iOS 17 beta is a major OS release, which means lots of things have changed. It’s not feasible to map from a high-level description of an issue like this to a specific change. For example, you’re assuming that the problem is with the signature generation, but what if there’s a networking issue that’s corrupting the data you send to your server? You’ll need to do some debugging to isolate the issue.
My favourite trick to debug problems like this is to verify the signature on iOS before sending it to your server. That’ll tell you whether iOS itself thinks the signature is valid.
If so, the next step is to confirm that the data and its signature made it to your server intact. On both the iOS and server side, generate an independent hash of the data and the signature and check that they match.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
@eskimo I am not really getting anywhere with this so far other than that I can confirm the problem still persists in yesterday's beta 7. Would it be helpful if I opened a DTS incident for this?
I am not really getting anywhere with this so far
What I’m suggesting is something like the process we went through in this thread.
Would it be helpful if I opened a DTS incident for this?
Sure. But it’s likely that that conversation will start with exactly the suggestions I’m making here.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
FWIW:
If so, the next step is to confirm that the data and its signature made it to your server intact. On both the iOS and server side, generate an independent hash of the data and the signature and check that they match.
Turns out this was the issue, the cause being the same as the one discussed in this thread. But thanks anyway.