We are facing an issue with Keychain sharing across our apps after our Team ID was updated. Below are the steps we have already tried and the current observations:
Steps we have performed so far:
After our Team ID changed, we opened and re-saved all the provisioning profiles. We created a Keychain Access Group: xxxx.net.soti.mobicontrol (net.soti.mobicontrol is one bundle id of one of the app) and added it to the entitlements of all related apps. We are saving and reading certificates using this access group only. Below is a sample code snippet we are using for the query: [genericPasswordQuery setObject:(id)kSecClassGenericPassword forKey:(id)kSecClass]; [genericPasswordQuery setObject:identifier forKey:(id)kSecAttrGeneric]; [genericPasswordQuery setObject:accessGroup forKey:(id)kSecAttrAccessGroup]; [genericPasswordQuery setObject:(id)kSecMatchLimitOne forKey:(id)kSecMatchLimit]; [genericPasswordQuery setObject:(id)kCFBooleanTrue forKey:(id)kSecReturnAttributes]; Issues we are facing:
Keychain items are not being shared consistently across apps. We receive different errors at different times: Sometimes errSecDuplicateItem (-25299), even when there is no item in the Keychain. Sometimes it works in a debug build but fails in Ad Hoc / TestFlight builds. The behavior is inconsistent and unpredictable. Expectation / Clarification Needed from Apple:
Are we missing any additional configuration steps after the Team ID update? Is there a known issue with Keychain Access Groups not working correctly in certain build types (Debug vs AdHoc/TestFlight)? Guidance on why we are intermittently getting -25299 and how to properly reset/re-add items in the Keychain. Any additional entitlement / provisioning profile configuration that we should double-check. Request you to please raise a support ticket with Apple Developer Technical Support including the above details, so that we can get guidance on the correct setup and resolve this issue.
To reiterate, it’s important that you reply as a reply. It’s very easy for me to miss replies in the comments, and then I won’t respond, and that’ll make us both sad.
used an App ID prefix for Keychain storage.
OK, let’s be clear about terms:
- Your Team ID is a 10 character code that identifies your team. For example,
SKMME9E2Y8is my individual Team ID. - A bundle ID uniquely identifies your app, typically using reverse DNS notation. For example,
com.example.test798928. - An App ID is a bundle ID combined with an App ID prefix. For example,
SKMME9E2Y8.com.example.test798928. - An App ID prefix is either your Team ID or a unique App ID prefix.
- A unique App ID prefix is a 10 character code that’s allocated to your team, different from your Team ID. For example, one of my teams is allocated the App ID prefix of
VYRRC68ZE6. App ID prefixes are effectively deprecated.
The are two transitions in question here:
- If your App ID has a unique App ID prefix, you can ask DevPrograms to change it to use your Team ID as its App ID prefix.
- If both teams agree, you can transfer an App ID from one team to the other. The final App ID will use the destination Team ID as its App ID prefix, regardless of whether or not it used a unique App ID prefix in the source team.
My App ID Prefix Change and Keychain Access post covers both cases:
- See the Migrate From a Unique App ID Prefix to Your Team ID section for the first case.
- See the Transfer Your App to Another Team section for the second case.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"