GIDSignIn.signIn getting "keychain error" for some users

[alperkayabasi]

Hello,

We are using GoogleSignIn for a few years. Suddenly, some users start to get "com.google.GIDSignIn / error code: -2 / keychain error" and we can't sign them in to our application.

To fix this, I have to enable "keychain sharing access" in my project settings (we have never enabled this and it was working as expected for a long time) and add "com.google.GIDSignIn" as keychain group.
Here is the screenshot;

If I use my own bundle id here I still get the same error, I have to add com.google.GIDSignIn specifically.

This is not one of the steps to integrate the SDK and I don't know why it is neccessary to add "com.google.GIDSignIn" keychain sharing access in my project.

Can you help with the issue?
Thank you.

[petea]

Can you tell me what version of Google Sign-In you're using when you see this behavior? The version of GTMAppAuth you're building with would also be relevant, as well as the version(s) of iOS you're seeing this on.

[tuando3i]

We are having the same problem here.

• GMTAppAuth: 1.2.3
• iOS version 15.5 (notice that it happens to some phones not happen with some other phones)

[AndyActionItem]

Also seeing this with iOS 15.5, but also iOS 14.7.1 . GTMAppAuth 1.2.3. It was reported today. Still looking to see if the version of iOS is a determining factor. This is an app that is in the store.
Have now determined that updating to GTMAppAuth 1.3.0 solves the problem for our app at least.
My Podfile has
pod 'GoogleSignIn', '~> 5.0.1'
and doing an pod update now gets me 1.3.0 instead of 1.2.3

[alperkayabasi]

• GoogleSignIn (6.1.0)
• GTMAppAuth (1.2.2)

The device I debugged was iOS 15.4.1 but there are many users who reported the issue, I don't know the OS versions of all.

[sopherwang]

I'm also having the same issue. Any suggestions would be great.

[longvudai]

I'm also facing this issue today.

[petea]

It sounds as though the Keychain is returning an error for some reason, causing GIDSignIn's -saveAuthState: to fail following a -signIn or -restorePreviousSignIn.

Is anyone able to reliably reproduce this behavior in a debug build? If so, you could provide repro steps?

[alperkayabasi]

Yes I could debug it but there are no "steps" to reproduce the bug really, I just call GIDSignIn.sharedInstance.signIn method. It seems like device or user specific. You do same steps with two different devices, one logs in, one doesn't.

All the users who had trouble logging in have an active Google session in Safari. Sadly, that's all I have.

[petea]

If you can reproduce this in a debug build, try setting a breakpoint in GTMAppAuth's GTMKeychain implementation in the -setPasswordData:forService:accessibility:account:error: method and check the return value of the SecItemAdd call. A non-zero value of status could provide some insight into what type of a Keychain error we're dealing with.

[zaidhafeez]

The "keyChain Error" is not shown in an updated version of GTMAppAuth (1.3.0).
Just updated to the newest version to resolve the error.

[zaidhafeez]

If you can reproduce this in a debug build, try setting a breakpoint in GTMAppAuth's GTMKeychain implementation in the -setPasswordData:forService:accessibility:account:error: method and check the return value of the SecItemAdd call. A non-zero value of status could provide some insight into what type of a Keychain error we're dealing with.

The status returned in GTMAppAuth (1.2.2). is errSecDuplicateItem.

[petea]

@zaidhafeez thanks for the feedback.

For anyone who is (or was) experiencing this behavior, could you list all the third-party libraries you're using and how they're being built / linked (Swift Package Manager, CocoaPods, XCFrameworks, etc). I'm looking for a potential source of conflicting Keychain operations.

[iyouqiang]

GoogleSignIn(5.0.2) iOS 14.6

[alperkayabasi]

I can verify that "keychain error" doesn't occur on GTMAppAuth version (1.3.0).
It still persists on 1.2.2 though.

[petea]

@alperkayabasi could you let me know which (if any) third-party libraries you're using in addition to Google Sign-In? Please see my previous comment.

[alperkayabasi]

@petea We're using a lot of 3rd party frameworks but I'll try to list major ones.

pod 'Alamofire'

pod 'Firebase/Database'
pod 'Firebase/Auth'
pod 'Firebase/Analytics'
pod 'Firebase/Performance'
pod 'Firebase/Crashlytics'
pod 'GoogleAppMeasurement'

pod 'Google-Mobile-Ads-SDK'
pod 'GoogleSignIn'

pod 'FBSDKCoreKit'
pod 'FBAudienceNetwork'
pod 'FBSDKLoginKit'

pod 'Adjust'
pod 'AppsFlyerFramework'

pod 'CryptoSwift'
pod 'KeychainSwift'
pod 'TikTokOpenSDK'
pod 'SwiftyVK'

[longvudai]

Upgrade to 6.2.2 solve my keychain error problem.

[sugitatestblue]

@iyouqiang
I use same version.

I resolved by upgrading 6.0.0 version. but I don't wanna upgrade.

I deleted the app once, but I can't login.
Although I logged in with 6.0.0 version and logout, I can't login with 5.0.2.

Anyone can resolved?

[SimmaAulakh]

I am also getting the same error for my application. It was working well before.

[kvacquier]

Same here, got the issue on my phone with multiple accounts

[gy6177]

I have the same problem

• GoogleSignIn (6.1.0):
  • AppAuth (~> 1.4)
  • GTMAppAuth (~> 1.0)
  • GTMSessionFetcher/Core (~> 1.1)

[petea]

For those who are still seeing this issue, please let me know which versions of GoogleSignIn and GTMAppAuth you're building with.

[gy6177]

GoogleSignIn -> 6.1.0
GTMAppAuth -> 1.0
在 iOS 15.4 和 iOS 15.0 都遇到了

Is there a problem with the simulator? Can it be done on the real machine?

[gy6177]

Upgrade to Google signin 6.2.2 without this problem. The following is the corresponding version

• GoogleSignIn (6.2.2):
  • AppAuth (~> 1.5)
  • GTMAppAuth (~> 1.3)

[tylerexmg]

Also seeing this issue on iOS 16 beta:

GoogleSignIn (6.1.0):

• AppAuth (~> 1.4)
• GTMAppAuth (~> 1.0)
• GTMSessionFetcher/Core (~> 1.1)

[CharlyDev75]

Hey! We're running version 6.1.0 and some of our users are experiencing this issue in too.
Is there a version that you recommend to upgrade to solve this?
Thanks for your time

[Simon-Zeng]

Update to latest version which has GTMAppAuth ~> 1.3 will fix the issue

[CharlyDev75]

Update to latest version which has GTMAppAuth ~> 1.3 will fix the issue

Thanks a lot Simon!

[nguillot]

After updating my pods to
Installing AppAuth 1.6.0 (was 1.5.0) Installing GTMAppAuth 1.3.1 (was 1.3.0) Installing GoogleSignIn 6.2.4 (was 6.2.2)

I reproduced the issue on a Mac Silicon with Mac OS Ventura (13.0 (22A380)). But It works on iPad OS 16.1.

[sgiraldog]

Updating to latest version solved the issue!

[iprabhakarpatil]

After updating my pods to Installing AppAuth 1.6.0 (was 1.5.0) Installing GTMAppAuth 1.3.1 (was 1.3.0) Installing GoogleSignIn 6.2.4 (was 6.2.2)

I reproduced the issue on a Mac Silicon with Mac OS Ventura (13.0 (22A380)). But It works on iPad OS 16.1.

Same here.
Facing the issue in MacOS testflight builds, but works fine in iOS devices.

[narendarsaini]

What I am seeing is here...

TestFlight Build (with latest SignIn SDK)

iPhone 13 / iOS 16.1 - working fine
iPhone XR / iOS 15.6 - working fine
iPhone 6S / iOS 15.6.1 - working fine

AppStore Build (with old SignIn SDK)

iPhone 13 / iOS 16.1 - Keychain error
iPhone XR / iOS 15.6 - working fine
iPhone 6S / iOS 15.6.1 - working fine

[jonsutherland]

After updating my pods to Installing AppAuth 1.6.0 (was 1.5.0) Installing GTMAppAuth 1.3.1 (was 1.3.0) Installing GoogleSignIn 6.2.4 (was 6.2.2)
I reproduced the issue on a Mac Silicon with Mac OS Ventura (13.0 (22A380)). But It works on iPad OS 16.1.

Same here. Facing the issue in MacOS testflight builds, but works fine in iOS devices.

Same issue with MacOS testflight build on Apple Silicon, but works fine on any iOS device I've tried.

The mentioned workaround of adding key chain sharing ability with "com.google.GIDSignIn" as the only keychain group does fix the issue for iOS testflight builds running on MacOS.

[Simon-Zeng]

I am facing the same issue even upgraded to GoogleSignIn version 7.0.0 and GTMAppAuth version 2.0.0. But it happening in TestFlight builds and not reproduced in App Store builds yet.

Add "com.google.GIDSignIn" to Keychain Sharing section of Project Capability, and try again.

[goodje]

I also encounter this issue, I attached my Podfile.lock at the end.

After I add Keychain Sharing in Signing & Capabilities, and then com.google.GIDSignIn in Keychain Groups, it solved my issue.

Cheers!

• Xcode: Version 14.2 (14C18)
• Minimum Deployments: macOS 10.15

com.google.GIDSignIn
Podfile.lock:

PODS:
  - AppAuth (1.6.0):
    - AppAuth/Core (= 1.6.0)
    - AppAuth/ExternalUserAgent (= 1.6.0)
  - AppAuth/Core (1.6.0)
  - AppAuth/ExternalUserAgent (1.6.0):
    - AppAuth/Core
  - GoogleSignIn (7.0.0):
    - AppAuth (~> 1.5)
    - GTMAppAuth (< 3.0, >= 1.3)
    - GTMSessionFetcher/Core (< 4.0, >= 1.1)
  - GTMAppAuth (2.0.0):
    - AppAuth/Core (~> 1.6)
    - GTMSessionFetcher/Core (< 4.0, >= 1.5)
  - GTMSessionFetcher/Core (3.1.0)

DEPENDENCIES:
  - GoogleSignIn

SPEC REPOS:
  trunk:
    - AppAuth
    - GoogleSignIn
    - GTMAppAuth
    - GTMSessionFetcher

SPEC CHECKSUMS:
  AppAuth: 8fca6b5563a5baef2c04bee27538025e4ceb2add
  GoogleSignIn: b232380cf495a429b8095d3178a8d5855b42e842
  GTMAppAuth: 99fb010047ba3973b7026e45393f51f27ab965ae
  GTMSessionFetcher: c9e714f7eec91a55641e2bab9f45fd83a219b882

PODFILE CHECKSUM: acca47bd2cac4d151d614ba463a75f598493389b

COCOAPODS: 1.12.0

[mattisssa]

OMG, I'm still experiencing the issue on macOS and because of the workaround with the keychain, I see this keychain permission alert.
Has anyone found another workaround that could help avoid that alert?

[kubaflo]

For those of you who added com.google.GIDSignIn to the keychains and the error still occurs. Try to remove the bin and obj folder from the project and relaunch the app. It worked for my iOS simulator.

[hristoenev]

After updating from GoogleSignIn (7.0.0) to GoogleSignIn (7.1.0) on a macOS app target I got Error Domain=com.google.GIDSignIn Code=-2 "keychain error" UserInfo={NSLocalizedDescription=keychain error}. Adding Keychain Sharing entitlement and com.google.GIDSignIn group to it did not help. After downgrading to GoogleSignIn (7.0.0) and removing the Keychain Sharing all is fine, no errors and everything works as expected.

[mdmathias]

@hristoenev are you able to print out the error here in GIDSignIn.m? That should be the error GSI gets from GTMAppAuth here. A breakpoint at either location should tell us more about what the error is.

I was able to replicate the error in GSI's SignInSample project. These are the errors.

You can see in one of the screenshots that the error in this case is from the keychain: -34018. From here, you will find that this error is due to a missing entitlement.

I added that entitlement to the SignInSample project (see below), and was able to save and restore successfully.

Last, the DaysUntilBirthday sample and GTMAppAuth sample provide macOS targets. I am not able to reproduce this issue with either of those samples.

[hristoenev]

@mdmathias, the error I got from GIDSignIn.m is
▿ Error ▿ failedToDeletePassword : 1 element - forItemName : "auth"
So I went to Keychain and deleted auth in the Passwords section. And now it works, but I am not sure for how long. Still this does not explain why it worked using 7.0.0. And to be more precise - switching only the SDK version made the sign in to start or stop working, without changing entitlements or anything else.

[mdmathias]

Strange. The main difference, with respect to persisting authorizations, between GSI 7.0.0 and GSI 7.1.1 is that 7.0.0 listed its dependency on GTMAppAuth as this:

    .package(
      name: "GTMAppAuth",
      url: "https://github.com/google/GTMAppAuth.git",
      "1.3.0" ..< "3.0.0"),

7.1.0 updated that dependency to:

    .package(
      name: "GTMAppAuth",
      url: "https://github.com/google/GTMAppAuth.git",
      from: "4.1.1"),

This amounted to GSI 7.0.0 depending upon GTMAppAuth v2.0.0. GSI 7.1.0 depends upon GTMAppAuth v4.1.1 and higher. Depending upon GTMAppAuth 4.1+ is important because that is the version of the library with a privacy manifest.

In any case, I tried to reproduce your issue by first opening up the DaysUntilBirthday sample from GSI 7.0.0. I built and ran the sample, successfully signing in. Then, I built and ran the same sample app from GSI's 7.1.0 release. The sample app was able to restore the previous sign in and I saw no error.

If you are able to, please share as much detail as you can to reproduce your issue. I will make sure to investigate. In the meantime, I'm closing this issue as not reproducible (and also considering that this was originally created in 2022). I will reopen the issue if you're able to repro. Thanks!

[hristoenev]

Don't spend too much time on this. The record the SDK made in Keychain had to be deleted. There are two questions for me:

1. Did the auth record broke when the SDK created it?
2. Can the SDK do something if the record is broken?
   It is totally fine if the error occurs during development, which means the end users have little chance to experience it. And in any case if it is possible to recover in such situation - it will be great.

[mdmathias]

1. I don't think the auth record broke when it was saved. My tentative hypothesis is that it was created with a missing entitlement or that your sample on the previous run was missing the entitlement.
2. This case is tricky to remedy because, IIRC, we cannot set a password to the keychain if that item already exists. This is why we have to try to remove it.

[hristoenev]

So the SDK created the auth record with missing entitlement and at some point in time it decided, that an entitlement is needed. That still does not explain why only switching back and forth between 7.0.0 and 7.1.0 without changing anything else in the project resulted in working with 7.0.0 and failing with 7.1.0

[apaolino]

For anyone having the same issue on Flutter MacOS, I solved by using this dependency override:

dependency_overrides:
  google_sign_in_ios: 5.7.5

which uses GoogleSignIn 7.0.0. Which 7.1 I have the keychain error

[aryan1107]

@apaolino Thanks so much I was stuck for few hours!

[vojtabohm]

Why is this marked closed when the issue still persist in the latest version?

GoogleSignin 7.1.0
GTMAppAuth 4.1.1

happens for some of our customers. Cannot reproduce on my own devices. They have macOS 15.0.1.

[krishsatya]

We're also seeing this error all of a sudden (not sure if it's specific to macOS 15 Sequoia). Ours is a macOS app using Firebase for auth. Unfortunately we're unable to reproduce this issue consistently. And there doesn't seem to be a workaround for users who do hit this issue.

GoogleSignIn: 8.0.0
GTMAppAuth: 4.1.1
Firebase: 11.3.0
GoogleAPIClientForREST: 4.0.0