6 Replies
      Latest reply: Feb 9, 2017 2:41 PM by eskimo RSS
      Macho Man Randy Savage Level 3 Level 3 (265 points)

        Have an app I'm working on that stores an item in the keychain. Everything was was working fine. I have a button in the UI that allows the user to clear out the keychain item:

         

        NSDictionary *query = @{(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
                                    (__bridge id)kSecAttrService: service,
                                    (__bridge id)kSecAttrAccount: accountKey};
        
        OSStatus status = SecItemDelete((__bridge CFDictionaryRef)(query));
        
        
        
        

         

        Status is -25244 which is errSecInvalidOwnerEdit. This app created the keychain item to begin with. What would be the appropriate way to handle this type of error?

        • Re: errSecInvalidOwnerEdit returned from SecItemDelete
          Macho Man Randy Savage Level 3 Level 3 (265 points)

          hmm...so when I get this error, I try to update the item using SecItemUpdate. SecItemUpdate for the item does not return an error (I get errSecSuccess).

           

          So I can update the the keychain item, but I cannot delete it?

            • Re: errSecInvalidOwnerEdit returned from SecItemDelete
              Macho Man Randy Savage Level 3 Level 3 (265 points)

              I just opened keychain access and deleted the item there. Then I ran my app, created a new item and deleting it from the keychain now works again.

               

              Would be interested in hearing suggestions of how to handle this error if this were to  happen in a production release. An alert "go to keychain access and delete this manually" doesn't seem great.

                • Re: errSecInvalidOwnerEdit returned from SecItemDelete
                  eskimo Apple Staff Apple Staff (6,075 points)

                  I presume, based on your mention of Keychain Access, that we’re talking about macOS here.  If so, this is likely a code signing issue.

                  When you create a keychain item (in the old school Mac keychain, not iCloud Keychain, which works like iOS), it gets a default ACL that allows your app to access, modify and delete that item.  How does it identify “your app”?  Based on its code signature (technically its designated requirement).  If you add a keychain item and then change your code signing, and hence your DR, you can get into situations like this.

                  Unless you see this happening in end user scenarios, I wouldn’t add code to handle it.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: errSecInvalidOwnerEdit returned from SecItemDelete
                      Macho Man Randy Savage Level 3 Level 3 (265 points)

                      Yep, it's a macOS app. Thank you for your helpful response.

                      • Re: errSecInvalidOwnerEdit returned from SecItemDelete
                        konstantinpavlikhin Level 1 Level 1 (0 points)

                        Quinn, I have the same issue with a keychain in my app. It seems to happen when I move my application bundle in a different place on disk. For example: the app is launched from the ~/Downloads folder and a new keychain item is created. As far as the app stays in place I can update or delete my keychain item as I like. But after the app is moved to another path, like /Applications (or whatever) I only can read, but cannon remove the item from the keychain. I get errSecInvalidOwnerEdit error. I am definitely sure there are no issues with codesign. Would you please help? It seems to me that this observed differentiation of apps based on their launch path is extremely limited and inconvenient. IMO Keychain ACL should differentiate apps based on their identity, not their location. On Mac it's perfectly legal to duplicate apps, move them around and so on...

                         

                        Update: It seems like you have to rename the app bundle to reproduce this issue.

                          • Re: errSecInvalidOwnerEdit returned from SecItemDelete
                            eskimo Apple Staff Apple Staff (6,075 points)

                            It seems like you have to rename the app bundle to reproduce this issue.

                            I don’t much in the way of meaningful input here.  Honestly, this sounds like a bug, and I think it’d be reasonable for you to file it as such (please post your bug number, just for the record).  If you’d like to dig into it deeper, you should open a DTS tech support incident so that you can discuss this with one of my colleagues.

                            Share and Enjoy

                            Quinn “The Eskimo!”
                            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                            let myEmail = "eskimo" + "1" + "@apple.com"