AppIdentifierPrefix is different in main app and extension

I'm trying to share the keychain of my main app with an app extension.


In both places my entitlements are added to the main app target and my extension, both with the values "$(AppIdentifierPrefix)com.example.MyGroupName"


I followed this [great] post on https://forums.developer.apple.com/message/75928#75928 to debug the issue and found the following:


<key>ApplicationIdentifierPrefix</key>

<array>

<string>SomeIdentifier1</string>

</array>


Of my mobileprovision.


Whereas my extension expects the Team ID.


How do I correct one of these so they both are using the same access group?

Accepted Reply

It sounds like your app was created back in the day, where each app would get its own unique App ID prefix. That’s still supported for existing apps, but new apps always use the Team ID. You can learn more of the backstory to this in Technote 2311 Managing Multiple App ID Prefixes.

With regards keychain sharing, I don’t think there’s a way to set that up between two apps with different prefixes (in this context you can think of your app extension as an app). The solution is to migrate your app to use a Team ID prefix, but that’s not without its drawbacks. TN2311 goes into the details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

It sounds like your app was created back in the day, where each app would get its own unique App ID prefix. That’s still supported for existing apps, but new apps always use the Team ID. You can learn more of the backstory to this in Technote 2311 Managing Multiple App ID Prefixes.

With regards keychain sharing, I don’t think there’s a way to set that up between two apps with different prefixes (in this context you can think of your app extension as an app). The solution is to migrate your app to use a Team ID prefix, but that’s not without its drawbacks. TN2311 goes into the details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Back in the day is exactly right! As someone not around when the project was originally created is it possible to figure out whether the App ID was a wildcard or not? So I can figure out which set of steps to use to move my App ID from a non-Team ID prefix to the Team ID.

As someone not around when the project was originally created is it possible to figure out whether the App ID was a wildcard or not?

If you dump your provisioning profile, you’ll see that it whitelists certain entitlements. A wild card profile whitelists all the App IDs with a specific prefix:

$ security cms -D -i fd41af6d-8883-4a29-924f-a65eba652129.mobileprovision 
…
<dict>
    …
    <key>Entitlements</key>
    <dict>
        <key>application-identifier</key>
        <string>SKMME9E2Y8.*</string>
        …
    </dict>
    …
</dict>
</plist>

A non-wildcard profile whitelists just one specific App ID:

$ security cms -D -i 18d432c1-fd30-4c82-835f-b486024a1ecd.mobileprovision 
…
<dict>
    …
    <key>Entitlements</key>
    <dict>
        …
        <key>application-identifier</key>
        <string>SKMME9E2Y8.com.example.apple-samplecode.Test118773</string>
        …
    </dict>
    …
</dict>
</plist>

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
FWIW, I just added a keychain sharing entitlement using Xcode 12.5, and it added the entitlements file with $(AppIdentifierPrefix)<groupname> (<groupname> is what I put in the entitlements UI). I don't know what value it's actually putting in there, as I can't find AppIdentifierPrefix anywhere else in the project.

Update: It's really hard to know what the string in my code should be to match what Xcode is generating for the entitlement.

I can't find AppIdentifierPrefix anywhere else in the project.

Right. This isn’t set in your project because Xcode works it out on the fly (assuming you’re using Xcode’s automatic code signing). Xcode will query the developer web site for all App IDs associated with your Team ID. It will then look through that list for one whose bundle ID part matches your bundle ID (creating a new App ID if it doesn’t find one). The prefix part of that App ID then becomes your App ID prefix.

In my experience the best way to get these values is to build some code and then dump the code signature and embedded profile to find out what Xcode actually used. For example:

Code Block
% codesign -d --entitlements :- /path/to/your.app
% security cms -D -i /path/to/your.app/embedded.mobileprovision


Having said that, if you want to use keychain access groups then you will need to use your Team ID as your App ID prefix, so if you’re using a unique App ID prefix then you’ll have to make that transition at some point.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"