KeyChainStore returns 34018 error

I am trying to implement KeyChain sharing in my iOS app to share passwords between different iOS applications. I am using the library `UICKeyChainStore` for this purpose.


I have added the same line of code in 2 places - inside applicationDidFinishLaunching and inside my ViewController. It works inside the AppDelegate but does not work inside the ViewController


AppDelegate.m (this works)


self.keychainStore = [UICKeyChainStore keyChainStoreWithService:@"PasswordService" accessGroup:@"group_name"];

self.keychainStore[@"password"] = @"abcd1234";

NSLog(@"%@", self.keychainStore[@"password"]);



Inside my ViewController's ViewDidLoad method, the same code simply prints (null) in the console.



AppDelegate *appDelegate = (AppDelegate *)[[UIApplication sharedApplication] delegate];

appDelegate.keychainStore[@"p2"] = @"1234";

NSLog(@"%@", appDelegate.keychainStore[@"p2"]);



When I dug deeper into the library, the error message getting thrown is:

Error Domain=com.kishikawakatsumi.uickeychainstore Code=-34018 "Security error has occurred." UserInfo=0x174e76540 {NSLocalizedDescription=Security error has occurred.}

Replies

Error -34018 is not publicly documented but it translates to

errSecMissingEntitlement
. There are two causes of this error:
  • build-time entitlement problems

  • a hard-to-reproduce runtime bug

The second problem is covered by a long-running thread elsewhere on DevForums. However, it sounds like you're hitting this problem every time, in which case you have a build-time problem. Run the following command over the app binary to confirm that it's built with the entitlements you're expecting.

$ codesign -d --entitlements :- /path/to/your.app

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

so I run the command.

$ codesign -d --entitlements :- /path/to/your.app

and what? What is that useful for? how do I know I have the right entitlements, the my entitlements need special configuration so that KeyChain works? I dont understand.

There is no way to solve this as its an Apple bug.

The only way is killing the app, cleaning your device memory (by closing other apps from background) and restarting the app again.

There is no future resolution for this bug.

There is no way to solve this as its an Apple bug.

It’s more subtle than that. There are actually two potential causes of this problem:

  • If the problem is 100% reproducible, it’s likely that your entitlements are set up incorrectly.

  • If your app works most of the time but you see this error on occasion, you’re hitting this OS bug.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Well, if its the second one I would still offer to apply a bug report. More reports, greater priority for the fix!

"However, it sounds like you're hitting this problem every time, in which case you have a build-time problem. Run the following command over the app binary to confirm that it's built with the entitlements you're expecting."


$ codesign -d --entitlements :- /path/to/your.app


What IS the entitlement we should see in the Provisioning Profile and Entitlement plist to put this -34108 error away?


I used your command line above and


security cms -D -i /path/to/installed/.mobileprovision


yet am not sure what I'm looking for. (they are quite lengthy) I am assuming they are the


<key>keychain-access-groups</key>   (profile)


<key>com.apple.security.application-groups</key>   (plist)

IMPORTANT Before looking into -34018 errors, make sure you read my Error -34018

errSecMissingEntitlement
pinned post.

What IS the entitlement we should see in the Provisioning Profile and Entitlement plist …?

Ooo, you’re in luck, I just posted about this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Ooo, you’re in luck, I just posted about this.


Thank you Quinn. That post helped me to notice in the provisioning profile:


<key>Entitlements</key>
    <dict>
        <key>keychain-access-groups</key>
        <array>
            <string>NKRQBLSUY2.*</string>
        </array>
....


Is the value for keychain-access-groups correct or should the string match the value in the provisioning profile? Which looks like:

<key>keychain-access-groups</key>
<array>
      <string>NKRQBLSUY2.com.theCompany.theAppName.apps.shared</string>
</array>

I’ve responded over on your other thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"