I presume you’re working on iOS (or watchOS or tvOS) here; if you’re developing for the Mac, things are more complex.
You can think of the keychain as a database table, where rows in the table are keychain items and columns are various keychain attributes. One of those attributes is
kSecAttrAccessGroup
, the
access group of the item. Here’s how things break down by API:
For the query APIs (like
SecItemCopyMatching
), if you don’t supply kSecAttrAccessGroup
in the query then it does a wildcard search, returning all items you have access to, that is, whose access group is contained in your app’s effective keychain access group list.OTOH, when your query contains a value for
kSecAttrAccessGroup
then:
When you create an item (
SecItemAdd
), if you don’t supply a value for kSecAttrAccessGroup
then its access group is set to the default keychain access group.OTOH, if you do supply a value for
kSecAttrAccessGroup
then that value is used as the access group of the new item. Obviously this must be in the app’s effective keychain access group list
Note If your new item is not unique the add will fail with
errSecDuplicateItem
. To understand uniqueness in the keychain, read
this post from the old DevForums.
Your app’s effective keychain access group list is defined by its entitlements (which, in turn, must be whitelisted by its provisioning profile). Specifically, it is formed by concatenating, in order, all of the following:
The first item in this list is the default keychain access group.
So, to debug keychain access group problems you must:
dump the entitlements of all parties involved
dump the access group of the items involved
evaluate the results based on the discussion above
You can dump entitlements like this:
$ codesign -d --entitlements :- /path/to/your.app
If you have an
.appex
inside your app, you must also dump its entitlements. To do this, pass in the path to that
.appex
. Make sure you do the one inside the app, not the one at the top level of the build folder, to avoid any problems with the entitlements being changed as the
.appex
is copied into your
.app
.
If you want to figure out the entitlements for your app that’s currently in the store, you can download it via iTunes on the Mac, unpack it (the
.ipa
is actually a
.zip
), and dump entitlements from there.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"