9 Replies
      Latest reply on Nov 13, 2017 4:27 AM by roee84
      bmwray0 Level 1 Level 1 (0 points)

        What could cause the errSecNotAvailable error (-25291) to be returned from a keychain write? I see from the documentation "No trust results are available," [1]. Is that something that can be remedied on a retry of the same keychain query, is there some action that can be taken to fix the error programmatically, or does the user have to do something on the device to fix this? I see one comment indicating the device would need to be restarted [2].

         

        [1] https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/#//apple_ref/c/econst/errSecNotAvailable

        [2] http://fossies.org/linux/fpcbuild/fpcsrc/packages/univint/src/SecBase.pas

        • Re: Keychain write errSecNotAvailable
          eskimo Apple Staff Apple Staff (12,425 points)

          Which platform (iOS or OS X)?

          If it's OS X:

          • Is this talking to iCloud Keychain (via the 'synchronizable' flag)?

          • Is your app sandboxed?

          • Is your app building for the Mac App Store?

          The reason I ask is that iOS and OS X have radically different keychain implementations, except when it comes iCloud Keychain, where the OS X implementation is very similar to the iOS one.  So, the first step of investigating any mystery keychain problem is to figure out which implementation you're talking to.

          Share and Enjoy

          Quinn "The Eskimo!"
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Keychain write errSecNotAvailable
              bmwray0 Level 1 Level 1 (0 points)

              This is on the iOS platform.

                • Re: Keychain write errSecNotAvailable
                  eskimo Apple Staff Apple Staff (12,425 points)

                  In the iOS keychain implementation errSecNotAvailable is returned for a bunch of reasons, mostly related to unexpected internal errors.  I would not expect to see this as a result of you using the API incorrectly.

                  Earlier you wrote:

                  … does the user have to do something on the device to fix this

                  That's my immediate suspicion but really I'm just speculating at this point.  What's the context for your question?  Are you seeing reports of this coming back from the field?  When it happens, do you see anything interesting in the device's system log?

                  Share and Enjoy

                  Quinn "The Eskimo!"
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Keychain write errSecNotAvailable
                      bmwray0 Level 1 Level 1 (0 points)

                      eskimo, thanks for your responses.

                       

                      We store important information regarding our users login status shared across a suite of apps in the keychain. We raise exceptions when we get unexpected statuses back from the keychain queries, as the user cannot be allowed to log in without checking the login status in the keychain. We have seen a few crashes with this status. However, it appears the user has been able to successfully get past it within the next 5-10 min after the app restarts. I'm not sure if there's anything the user has done to fix the issue in that time. So I'm curious if we should handle this status and retry the keychain query (as in it's a transitory error that can correct itself within the life of the app), or present the user with an alert advising them to restart the app or device (as in there's something wrong with the application/device state that needs to be restarted before it can be resolved).

                       

                      This has only happened in the field and we only receive our own custom crash reports, so I don't have much more information for you to go on, or any system logs.

                        • Re: Keychain write errSecNotAvailable
                          ronak2121 Level 1 Level 1 (0 points)

                          We had been seeing this in the field as well. However, I thought Apple had fixed this issue in iOS 7? I remember talking to Quinn at WWDC who advised me that we should be able to use the keychain after 200ms after launch of the app? I'm confused there because it seems like if I try to read/write from the keychain on the very first line of my AppDelegate, I am able to read/write from the Keychain without issue on test iPod and iPhones.

                            • Re: Keychain write errSecNotAvailable
                              eskimo Apple Staff Apple Staff (12,425 points)

                              However, I thought Apple had fixed this issue in iOS 7? I remember talking to Quinn at WWDC who advised me that we should be able to use the keychain after 200ms after launch of the app?

                              I think you must be mixing me up with someone else.  AFAICR I've never advised folks to delay accessing the keychain by 200 ms, for this or any other issue.

                              Also, are you sure you're not confusing this error with the -34018 (errSecMissingEntitlement) issue?  Folks have been suggesting that delaying their keychain access might work around -34018 issue, although personally I don't think that actually helps.

                              This -34018 issue is covered in this DevForums thread.

                              Share and Enjoy

                              Quinn "The Eskimo!"
                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                              let myEmail = "eskimo" + "1" + "@apple.com"

                            • Re: Keychain write errSecNotAvailable
                              gc. Apple Staff Apple Staff (255 points)

                              Most keychain errors also log a detailed explanation in the console. It would really help to get the console log from an affected customer when they report the errSecNotAvailable error.

                               

                              --gc

                      • Re: Keychain write errSecNotAvailable
                        roee84 Level 1 Level 1 (0 points)

                        I'm getting this error too, for MacOS.

                        I'm using keychain for iOS and MacOS VPN (network extension) apps, and recently I got few app crashes involving save password to keychain.

                        The crashes are only on my MacOS app, even this code is used for both platforms.

                        The code is taken from Apple example (SimpleTunnel).

                        What's could be the cause to this error? And how can I fix it?