[macOS] User sees permissions popup saying, "[App] wants to use your confidential information stored in 'com.firebase.FIRInstallations.installations' in your keychain."

[JakeSc]

[REQUIRED] Step 1: Describe your environment

• Xcode version: 11.3
• Firebase SDK version: See below. Podfile just specifies unversioned Firebase/Crashlytics and Firebase/Analytics
• Firebase Component: Firebase/Analytics (6.23.0), Firebase/Core (6.23.0), Firebase/CoreOnly (6.23.0), Firebase/Crashlytics (6.23.0), FirebaseCore (6.6.7), FirebaseCoreDiagnostics, FirebaseCoreDiagnosticsInterop, FirebaseCrashlytics (4.0.0), FirebaseInstallations (1.2.0), various Google subspecs
• Component version: See above
• Installation method: CocoaPods

[REQUIRED] Step 2: Describe the problem

Steps to reproduce:

This is for a macOS application, running on macOS 10.15.4. I see the issue when signing my app with a Developer ID cert with the DEBUG flag, but I don't see it when running with a macOS Development certificate.

In applicationDidFinishLaunching, I have simply:

FirebaseApp.configure()

Upon launch I then see this:

I haven't tried to proceed by entering my password, or Denying the request.

Relevant Code:

import Cocoa
import Firebase
import FirebaseCrashlytics

@NSApplicationMain class AppDelegate: NSApplicationDelegate {
    func adfl() {
        FirebaseApp.configure()
    }
}

Is there a workaround for this, so I can avoid spooking my users with this keychain perms request? Thanks!

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[maksymmalyhin]

@JakeSc Thank you for the report. Since Firebase Mac OS is in a state of Community Support, there still may be cases that are not handled really well. We appreciate your help with making Mac OS support better.

The alert is a result of Firebase Installations SDK storing a generated device ID and supplementary information in the Keychain.
From my experience with previous Mac OS versions the alert should appear only if an application is resigned with a different developer ID and reinstalled on the same Mac, so it tries to read items created by the previous version.

Could you please provide more details on your workflow:

1. Can you observe Keychain items created by your app with different signing settings? If you remove them, do you still observe the alert?
2. Do you observe the alert if you re-install your app without signing changes?
3. Once you allow access you should not see more alerts. It is the case for you?

[JakeSc]

Hi @maksymmalyhin, thanks for the information.

I see this issue when running the app signed with a Developer ID Cert and ProvProf, as well as an Apple Development Cert. I have not tested this with a Distribution Cert + PP.

How do I observe Keychain items created by my app? I searched Keychain Access for the name / bundleID and didn't see anything there.

I am hesitant to allow access, because I fear that would be permanent and I would thus be unable to test this flow as my users would. In other words, I want to make sure I continue to see the popup until this issue is fixed or there is a workaround. How can I reset the keychain access state, so I can reproduce the issue after allowing access?

[maksymmalyhin]

How do I observe Keychain items created by my app?
@JakeSc you can all Firebase Installations Keychain items in the Keychain Access app filtering by FIRInstallations string:

You can delete old items to simulate a fresh app installation.

I could reproduce the prompt by installing an app signed with one dev account and then re-installing the app but signed with a different dev account.

Firebase issue
I can see an issue with the way the keychain is used by Firebase Installations on Mac OS. Currently all items from all applications are stored under the same service name com.firebase.FIRInstallations.installations. It works fine on iOS/tvOS/watchOS because of Keychain isolation. But on MacOS, despite that different account names are used for different applications an item, request from any of the MacOS app using Firebase will prompt users with access request to the service if there are other such app installed.

We will consider a Mac OS specific fix to make the Keychain service name unique per application to avoid the interference.