NEAppProxyProvider SecItem keychain lookup throws error

Hi,


We are running NEAppProxyProvider on macOS and getting this error:


"copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "client has neither application-identifier nor keychain-access-groups entitlements" UserInfo={NSDescription=client has neither application-identifier nor keychain-access-groups entitlements} "

when we call SecItemCopyMatching to lookup for the client identity item in keychain. As per documentation we do not need keychain-access-groups for macOS and also applcation-identifier is not needed, right? This happens only on macOS and iOS is fine.


Even when this error is thrown, we can successfully get the SecIdentityRef and it works fine. Just this error is thrown everytime when we run client on mac.


Thanks and regards.

Up vote post of sanaw Down vote post of sanaw
1.3k views
Posted by
sanaw
Reply
Add a Comment

Accepted Reply

Even when this error is thrown, we can successfully get the SecIdentityRef and it works fine. Just this error is thrown everytime when we run client on mac.

What do you mean by “thrown” here? In my mind an thrown error means that something has failed — and thus you wouldn’t get get an identity — but it sounds like you’re using that term to mean that something was logged.

ps Network Extension providers can only be distributed via the Mac App Store and thus your app will have the 

application-identifier
entitlement (on macOS this is actually 
com.apple.application-identifier
).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Even when this error is thrown, we can successfully get the SecIdentityRef and it works fine. Just this error is thrown everytime when we run client on mac.

What do you mean by “thrown” here? In my mind an thrown error means that something has failed — and thus you wouldn’t get get an identity — but it sounds like you’re using that term to mean that something was logged.

ps Network Extension providers can only be distributed via the Mac App Store and thus your app will have the 

application-identifier
entitlement (on macOS this is actually 
com.apple.application-identifier
).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Hi eskimo,


We just observed one more thing with our application uploaded on App Store. With this application we do not see the above error but the different one while looking up the item in the keychain. The error is as followed:


default 16:43:59.542282 -0400 secd macOSAppProxyPro[69655] copy_matching Error Domain=NSOSStatusErrorDomain Code=-34018 "Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements" UserInfo={NSDescription=Client has neither com.apple.application-identifier, com.apple.security.application-groups nor keychain-access-groups entitlements}


But we do not need to specify "Applicaiton Identifier" not "Keychain-Access-Group" for the mac NEAppProxyProvider client explicitely right?


Thanks and regards,

Sanjay.

Posted by
sanaw
Up vote reply of sanaw Down vote reply of sanaw
Add a Comment

But we do not need to specify “Applicaiton Identifier” not “Keychain-Access-Group” for the mac NEAppProxyProvider client explicitely right?

Correct. You should get this entitlement from your provisioning profile. Are you sure you’re building with a Mac App Store provisioning profile? Network Extension providers are not support for Developer ID.

I recommend that you dump the entitlements of your final built binary (using 

codesign -d --entitlements :- ***
) to confirm that your app identifier entitlement is in place.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment