Keychain error -34018 (errSecMissingEntitlement)

This thread has been locked by a moderator.

This is a continuation of from the old forums: https://devforums.apple.com/thread/246122


Calling SecItemCopyMatching will sometimes return an OSStatus of -34018 (errSecMissingEntitlement). This seems to happen when the system is running low on memory. This has not been fixed in iOS9. I've of course filed radars about this and I would encourage others to do the same while iOS 9 is under development.

Up vote post of briandw
99k views

Replies

Yes, I still get this in my app. But I'm also getting a new one:


SecItemCopyMatching status: -25300


I'm not sure what this one means though but it happens when I launch my app and access the keychain during the launch process.


I have multiple keys in my Keychain that I'm trying to access on launch and they all fail with the above error. Although it could mean that the keys are not available int he keychain yet.

UPDATE: We have finally been able to reproduce the -34018 error on iOS 8.3. This is the first step in identifying the root cause and then coming up with a fix.

As usual, we can't commit to a release timeframe, but this has affected many developers and we really want to get this resolved.

Earlier I suggested adding a small delay in application:didFinishLaunchingWithOptions and applicationDidBecomeActive: before accessing the keychain as a workaround. However, that doesn't actually appear to help. That means that there's no known workaround at this time other than relaunching the app.

The issue appears to be related to memory pressure, so perhaps being more aggressive in handling memory warnings may alleviate the problem.

--gc

I have a consistent repro, in an app that uses the keychain whenever it gets to foreground. I have seen similar repro steps in the forums before, but adding mine too:

- run the app on device with debugger attached

- go to homescreen and open a lot of other apps until xcode reports the app to have less than 30kb of memory (this will often lead to app termination, you have to try several times)

- open the app, keychain returns a 34018 error until app is terminated

I have tried to use access keychain in a dispatch_after with up to a couple of seconds delay, without this fixing the issue. So at least under very low memory conditions, the suggested workaround doesn't work for me.

Hey gc.,


I came to this forums to ask this exact question, but searched first and found this post.


> The best we can tell so far, it's an issue with accessing the keychain too soon after the app has been launched or resumed.


This rings very true in my scenario. Right now, I can only recreate it maybe 5-10% of the time. I usually open another app, and then re-open my application, and receive the error.


I was considering encrypting things on my own and storing them in NSUserDefaults because this issue is rendering my app un-usable. However, I see your comment here...


> For a workaround, try adding a small delay in application:didFinishLaunchingWithOptions and applicationDidBecomeActive: before accessing the keychain.


What type of delay do you recommend? Is 0.1s going to suffice?

Hey gc,


we are also having this issue... and it's a pretty major one for us. It is single-handedly preventing us from releasing our app. We have been struggling with this for months so some workaround would really save us.


We have tried with the delay (sleep(0.5)) as you have suggested but we've had no luck. Could you give us some more details on how we could work around this?


Thanks!

This bug is actually very easy to reproduce. That being said why has Apple not fixed it after years of reports/examples etc. https://github.com/DinosaurDad/Keychain-34018

I agree. We have tried everything and we've received no response from Apple everytime.


If they are working on this, the communication has been very poor. If they aren't, than we expect better from Apple.


Can we have at least some kind of reply from an Apple Staffer?

Just wanted to post to all here that we've received some news from Apple today.

Apparently they are working on this and suggest that postponing keychain access until application:didFinishLaunchingWithOptions or applicationdidBecomeActive mitigates the problem.


We are trying this, although we will be sacrificing state restoration (still better than a crashing app).

Is there any suggested alternative best practice for storing sensitive data like tokens?


APPLE? Beuller? Beuller?

There are strict limits on the amount and type of information I can share here. I will say that:

  • Keychain engineering is well aware of how important this issue is.

  • The primary problem has been reproducing the failure here at Apple.

  • We're now able to do that (largely thanks to the work you guys have put in filing and following up on your bug reports).

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I have a different error, but it seems related to me.

App goes in the background and saves state for UI restoration.

User locks device (key / fingerprint enabled)

App is terminated by the OS for low memory conditions

App is launched by WatchKit extension: WKInterfaceController.openParentApplication -> ApplicationDelegate.handleWatchKitExtensionRequest

Console reports the following errors:

------------------------------

Jul 19 01:16:02 iPhone-6 MyApp[380] <Warning>: Error reading archived restorable state: Error Domain=NSCocoaErrorDomain Code=257 "The operation couldn’t be completed. (Cocoa error 257.)" UserInfo=0x170662480 {NSFilePath=/var/mobile/Containers/Data/Application/EA07FC55-81DA-47B9-904E-3A15518A1E24/Library/Saved Application State/com.gunpmedia.MyApp.savedState/data.data, NSUnderlyingError=0x170251fd0 "The operation couldn’t be completed. Operation not permitted"}

Jul 19 01:16:02 iPhone-6 securityd[90] <Error>: securityd_xpc_dictionary_handler MyApp[380] copy_matching The operation couldn’t be completed. (OSStatus error -25308 - ks_crypt: e00002e2 failed to unwrap item (class 6, bag: 0) Access to item attempted while keychain is locked.)

Jul 19 01:16:02 iPhone-6 MyApp[380] <Error>: SecOSStatusWith error:[-25308] The operation couldn’t be completed. (OSStatus error -25308 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25308 - ks_crypt: e00002e2 failed to unwrap item (class 6, bag: 0) Access to item attempted while keychain is locked.))

Jul 19 01:16:02 iPhone-6 securityd[90] <Error>: securityd_xpc_dictionary_handler MyApp[380] add The operation couldn’t be completed. (OSStatus error -25308 - ks_crypt: e00002e2 failed to wrap item (class 6, bag: 0) Access to item attempted while keychain is locked.)

Jul 19 01:16:02 iPhone-6 MyApp[380] <Error>: SecOSStatusWith error:[-25308] The operation couldn’t be completed. (OSStatus error -25308 - Remote error : The operation couldn‚Äôt be completed. (OSStatus error -25308 - ks_crypt: e00002e2 failed to wrap item (class 6, bag: 0) Access to item attempted while keychain is locked.))

------------------------------


It looks like some of the state restoration data is saved in the keychain, but I can see no mention of this in the documentation.

I have an app called "Shoot" that take pictures and share them on social network using OAuth2. Access and refresh token issued after the Oauht2 dance are stored in the Keychain with the ACL "kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly" (new to iOS8).


When I build my "Shoot" app from Xcode6.3 and run on iOS keychain used to work fine. Now I've migrated it to Xcode7/Swift2 and when deployed either to iOS8 or iOS9 I keep hitting the -34018 Keychain error.


See source code with Swift1.2: https://github.com/aerogear/aerogear-ios-cookbook/tree/master/Shoot

with Swift2: https://github.com/corinnekrych/aerogear-ios-cookbook-1/tree/swift-2.0


I'm puzzled, any hints welcome.

++

Corinne

One thing i notice is that Xcode6.3 version uses 7Mb mem whereas Xcode7 running the same app uses 10.5Mb.


++

Corinne

Now I've migrated it to Xcode7/Swift2 and when deployed either to iOS8 or iOS9 I keep hitting the -34018 Keychain error.

You hit it every time, or occasionally? If it's every time then there's almost certainly something wrong with your code signing. If it works the vast bulk of the time but fails under specific circumstances, that's the bug that discussing on this thread.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Indeed, fixing code signing for the project make the issue behaves differently. When launched the first time with a cleared keychain on the iPhone 5s device, I'm able to access the keychain a couple of time but then hit the issue.

I've upgraded to Xcode7 beta4.

I wonder what will be an acceptable work around.

++

corinne