"Failed to retrieve app-scope key" in sandboxed app

Hi all.


A customer of my app Yoink has an issue with it. When he tries to drag a file to it, the console reports this:

"Error Domain=NSCocoaErrorDomain Code=256 "Failed to retrieve app-scope key" UserInfo={NSDebugDescription=Failed to retrieve app-scope key}"


The app, as soon as it retrieves an NSURL via drag and drop, creates a security-scoped bookmark from it (the entitlements are set correctly, of course, because for me and everyone else who uses this app, except this one person, it works fine).


So, now my question is, what causes "Failed to retrieve app-scope key"?


The app creates the bookmark like this:

NSURLBookmarkCreationOptions options = NSURLBookmarkCreationWithSecurityScope;

  NSData *bmData = [fileURL bookmarkDataWithOptions:options
    includingResourceValuesForKeys:nil
  relativeToURL:nil
  error:&err];

  if (bmData == nil)
     bmData = [fileURL bookmarkDataWithOptions:options|NSURLBookmarkCreationSecurityScopeAllowOnlyReadAccess
                includingResourceValuesForKeys:nil
                relativeToURL:nil
                error:&err];

(I repeat the bookmark creation if it failed the first time, because for files that the user only has read-access to, the first creation will fail.


Thank you for your help and input,

- Matt

Accepted Reply

I can see two potential causes for this:

  1. something is borked with code signing on the user’s machine — The scoped bookmark machinery needs to be able to get the code signature of your app in order to do its magic, and if that failed you’d get an error like this.

  2. something is borked with the user’s keychain — The scoped bookmark machinery stores a secret in the keychain (you can see it in Keychain Utility by searching for “com.apple.scopedbookmarksagent.xpc”) and you’d get this error if that was failing somehow.

Of these, #2 seems most likely. It’s also easy to test. Have the user create a new account and repeat their test in that account. The new account will have a new keychain, and thus avoid any potential borkage with the user’s current keychain.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Sorry for the bump, but does anyone have any insight into this?


Thank you kindly!

- Matt

One last bump in the hope that maybe someone has an answer to this? You'd be helping me out a lot - thank you!

I can see two potential causes for this:

  1. something is borked with code signing on the user’s machine — The scoped bookmark machinery needs to be able to get the code signature of your app in order to do its magic, and if that failed you’d get an error like this.

  2. something is borked with the user’s keychain — The scoped bookmark machinery stores a secret in the keychain (you can see it in Keychain Utility by searching for “com.apple.scopedbookmarksagent.xpc”) and you’d get this error if that was failing somehow.

Of these, #2 seems most likely. It’s also easy to test. Have the user create a new account and repeat their test in that account. The new account will have a new keychain, and thus avoid any potential borkage with the user’s current keychain.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hey, eskimo!


Sorry for reviving this thread, but I was wondering - is there a way for the user to repair their keychain or the code signing machinery, without having to create a new user account?


Thank you kindly,

Matt

Well, creating a new user account is just a diagnostic test; I wouldn’t expect that to be the final solution to this problem.

Is this happening to you? Or to one of your app’s users?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for getting back to me.


I've had about 3 users with this particular error so far. One was content with creating a new user, the other two aren't savvy enough to do it, and I wouldn't want anyone to create a new user account just because of my app, anyway.

So a repair for the keychain or something like that would be wonderful.

I’m reluctant to offer advice on this front. The folks who are experts at resolving user issues like this one are AppleCare.

If this were my Mac I’d reset the keychain by:

  1. In Keychain Access, creating a temporary keychain

  2. Setting it as the default

  3. Removing the old keychain from the search list

  4. In the Finder, moving that file aside

  5. Back in Keychain Access, creating another new keychain, this time called

    login
  6. Making it the default

  7. Removing the temporary keychain

The problem with recommending this to non-technical users is that a) it’s not easy to do, and b) it might interact badly with various user scenarios, most notably iCloud Keychain.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I was getting this error when trying to give sandbox access to BBEdit, and when I searched for “com.apple.scopedbookmarksagent.xpc” in Keychain Access, I found such an item in two different keychains. I deleted both items and rebooted. Now the problem seems to be fixed, so thanks very much for the information, Quinn.