OSStatus error:[-34018] Internal error when a required entitlement isn't present error on device

Asked 3/4, 2020 at 8:27 Answered 18/9, 2024 at 14:25

I am trying to implement keychain sharing using KeyChainAccess. I have build two very basic applications: App One that writes a string to a shared keychain, and App Two that reads the data from the shared keychain and displays it.

My code for App One:

    override func viewDidLoad() {
    super.viewDidLoad()

    //save item to keychain
    let keychain = Keychain(service: "app.test", accessGroup: "xxxxx.xxxxx.xxxxx.Keychain-Sharing")

    do {
        try keychain.set("Some Data Set in app one", key: "sharedData")
        print("Success")
        label.text = "Success"
    }
    catch let error {
        print("Keychain write failed: \(error)")
        label.text = "Keychain write failed: \(error)"
    }

}

My code for App Two that reads and displays from the shared keychain:

override func viewDidLoad() {
    super.viewDidLoad()

    //load item from keychain
    let keychain = Keychain(service: "app.test", accessGroup: "xxxxx.xxxxx.xxxxx.Keychain-Sharing")

    let data = try? keychain.get("sharedData")

    print("Data from Keychain: \(data ?? "nil")")

    label.text = "Data from Keychain: \(data ?? "nil")"
}

This is a very basic example just to try the concept, however what I am finding is that when I run it using Xcode's simulator on my Mac it behaves as expected, I run the first app - it succeeds, I then run the second app and the correct string is displayed.

When I then try to run it on a device (by plugging my device into my Mac and changing the run location I receive the following error when trying to write and read from the shared keychain:

   OSStatus error:[-34018] Internal error when a required entitlement isn't present, client has neither application-identifier nor keychain-access-groups entitlements.

I have checked my entitlements file and I can see that they are included in both applications:

And the entitlements files is referenced correctly in the build settings:

Also when I hover over my provisioning profile it tells me that they are included:

Is this what is allowing it to run successfully in the Xcode simulator? and what am I missing to get it to run on the handset? I think this is something to do with my certificates / profiles but I am fairly new to this so I am not certain as to exactly what I need / missing or what to check?

Can anyone help or point me in the right direction?

Sulphurize answered 3/4, 2020 at 8:27 Comment(2)

Do you have a paid developer account? – Biweekly 3/4, 2020 at 8:41

@Biweekly yes I do, is it possible I am using the wrong profile? – Sulphurize 3/4, 2020 at 8:48

I had the same issue. And the solution was very easy. Check once again accessGroup parameter in Keychain initializer. For example, you add the Keychain Group in Capabilities with the name "com.myCompany.app". But it is not the full name of accessGroup. To solve the issue just prepend "App ID prefix" to the keychain group name. You can find this prefix in your apple developer account inside your App ID configuration. The full accessGroup name will be "XXXXXXXXXX.com.myCompany.app", where XXXXXXXXXX is your App ID prefix.

Perretta answered 30/4, 2020 at 14:57 Comment(5)

Dimitry, thank you for this. This worked a treat. I did not know that this prefix was needed. Many Thanks! – Sulphurize 1/5, 2020 at 11:8

Thank you for this. Nailing down the specifics of shared keychain access has been very tricky. – Foxhound 16/11, 2020 at 20:43

hey Dmitry, when I add APPID to the entitlements file it gives me a provisioning profile error. And official documentation says Xcode will add TeamID automatically. I am confused. developer.apple.com/documentation/security/keychain_services/… – Lather 15/6, 2021 at 3:58

Actually Never Mind, I fixed that issue by deleting the Keychain sharing capabilities and adding it back. – Lather 15/6, 2021 at 5:56

To clarify my findings, when adding the Keychain Groups to Xcode's Capabilities, there is no need to prepend the app ID there. A simple com.company.groupName will do. If you look in the entitlements file you will see that Xcode takes care of this for you: $(AppIdentifierPrefix)com.company.groupName Where you DO need to prepend the app ID is in code where you pass the accessGroup string into KeychainAccess. accessGroup: "123123123.com.company.groupName" – Callosity 31/8, 2023 at 3:40

Actually,it's teamID,not APPID

Sharing access to keychain items among a collection of apps

image

Joyejoyful answered 18/9, 2024 at 14:25 Comment(2)

This is a comment on the existing answer, right? Please note meta.stackexchange.com/questions/214173/… I will also provide the standard comment for link-only answers (which is otherwise the closest you get to almost being an answer according to How to Answer). – Dissection 19/9, 2024 at 6:10

Davy, a link to a solution is welcome, but please ensure your answer is useful without it: You need to provide at least a technical summary of how the problem is solved, so that it can be reproduced even without the link. It is not enough to advertise what it achieves. Also please add context around the link so your fellow users will have some idea what it is and why it is there. Answers that are little more than a link may be deleted. – Dissection 19/9, 2024 at 6:10

Recommended topics

Hot tags