Error -34018 required entitlement

[arnaudmeunier]

Hello,

I'm frequently getting this error:

Error Domain=com.kishikawakatsumi.KeychainAccess.error Code=-34018 "Internal error when a required entitlement isn't present, client has neither application-identifier nor keychain-access-groups entitlements."

I noticed it tends to happen when the application comes back from Background. Any idea where this could come from?

[kishikawakatsumi]

Could you please show me your code that to get/set keychain items? I think some factors about the error, but I need more details to identify the cause.

[antranapp]

I have the same issue with a mac app (running in agent mode). Here are my codes

    let bundleIdentifier = NSBundle.mainBundle().bundleIdentifier
    self.keychain = Keychain(service: bundleIdentifier!)
    if let password = self.keychain!.getString("password") {
        println("Found password = \(password)")
    }
    else {
        println("No password found in keychain")
    }

the issue only appears sporadically. I found some related SO questions here

http://stackoverflow.com/questions/22082996/testing-the-keychain-osstatus-error-34018?lq=1
http://stackoverflow.com/questions/20344255/secitemadd-and-secitemcopymatching-returns-error-code-34018-errsecmissingentit/22305193#22305193

[bgreenlee]

I'm seeing this as well. It seems to happen only when updating the keychain item, not when initially creating it. The update succeeds, however.

Turning on the Keychain Sharing capability fixes the issue.

[arnaudmeunier]

Interesting. I noticed I never had the issue on a production (archived) build. Did you? Might try turning on KeyChain sharing, just to be sure.

[uchuugaka]

For security, and contrary to Apple's docs, don't update a keychain item, instead, remove it and create a replacement.

[wangshengjia]

I never had this issue until I update to Swift 2 and test on iOS 9 today, is there something changed in new version?

[orschaef]

@wangshengjia I experienced the same...after the Swift 2 update.

[pvegh]

Swift 2 or Xcode 7, not sure which causes the issue, but they both go together.
Update: actually I have only seen this on an iOS9 device so far.

[jpaas]

Same here. Swift2 + iOS9.

[ky1ejs]

I'm getting this issue with Swift 1.2 and iOS 8. Adding Keychain Sharing worked for fixed me too.

Is enabling Keychain Sharing the correct fix or a bit of a hack around the problem?

[ky1ejs]

I've just had this problem re-occue with Keychain Sharing enabled. @kishikawakatsumi any ideas on a Fix?

[ky1ejs]

This is becoming a really frustrating issue for us. I'm able to replicate quite consistently. When running our application after deleting it from the device, we run in to this issue when trying to access the keychain shortly after creating it. During the gap between creating the keychain and receiving this error on next access, the app is exited and re-entered.

@kishikawakatsumi I'm hoping you could advise me on a possible cause and/or fix shortly. I may have to consider finding another keychain wrapper/framework.

[ky1ejs]

...now able to replication without exiting the app.

[ky1ejs]

Done a fair bit of digging tonight. Looks like this is actually a bug in Security.framework:

https://forums.developer.apple.com/thread/4743

Last response from Apple was on Jul 27, 2015 1:22 AM. They still haven't confirmed on this thread that the bug has been resolved.

[paulbruneau]

This makes sense (that it's an apple bug). Keychain is a mess.

[lfaoro]

This happens on Mac apps as well, Keychain Sharing fixes it but then you can't distribute the app outside the App Store if you use any of the features under Capabilities

[fabdarice]

I keep experiencing this as well.
You guys are mentioning that turning on Sharing Capability fixes it.
To turn it on, are you just adding ".synchronizable(true)" to keychain?

[nickvelloff]

Same issue here as well. "Keychain Sharing" is enabled.

[lfaoro]

@fabdarice - select your project > Capabilities tab > set Keychain sharing to On

[andrew-knott]

Can anyone else confirm that turning on Keychain sharing works? It's still failing for me.

[nickvelloff]

What is the value for Keychain in your Info.plist?
My previous value of {AppID}.* did not work any longer after updating to SDK 9 Swift 2. I needed a fully qualified name like {AppID}.com.domain.app

[tomoyuki28jp]

Same issue here :(
Swift2 + iOS9

[tomoyuki28jp]

It seems like enabling keychain sharing solves this issue for me.

[AlexCatch]

Error is still occurring occasionally.
Swift 2.0 + iOS9

[kishikawakatsumi]

I cannot reproduce such a problem. Can anyone share a reproducible project? Or could you please report this issue with your code snippets. "Same issue here" is nothing to help for me 🙇

[kishikawakatsumi]

And @kylejm's mentioned it https://forums.developer.apple.com/thread/4743 . Is it help for this problem?

[ky1ejs]

It still happens for me. It happens intermittently when the keychain is accessed after some time has passed since hitting a breakpoint.

In that thread an Apple employee has recently commented saying that we should all file a radar each so that not only can we see the status of the bug being fixed, but it will also go up on Apple's priority. I'm going to do so tomorrow morning when I'm at my desk.

[paulbruneau]

You can't see the status of other bugs, even ones that you are a dupe of. That is one of the reasons why bugreporter is garbage.

[czechboy0]

Just my 2c, I was having this issue in a Mac app and it went away when I ensured I never overwrite an existing value by using this little method:

extension Keychain {    
    func updateIfNeeded(key: String, value: String?) {
        if self[key] != value {
            self[key] = value
        }
    }
}

[uchuugaka]

Anything that touches security APIs must be code signed properly or it will cause weird failures by design.
This includes things that call them indirectly.
Just code sign everything and use proper entitlements.

On 14 Sep 2016, at 22:54, kishikawa katsumi notifications@github.com wrote:

@twiedow

It seems that with iOS 10 this problems always occurs. I just could reproduce the problem when opening the sample app for this project (using the master) and running it in the simulator (iPhone 7 / iPad with iOS 10).

Please add code signing entitlements to the app. I've just fixed at fb4529d for the example project. From iOS 10, entitlements file is always needed for writing Keychain even without sharing.

―
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

[hons82]

@tolkiana I've the same problem... I'm working on a framework with Keychain support, so there is no capabilities Tab... Did u find a solution already?

[tolkiana]

@hons82 not exactly, my solution was making my tests with mock objects, similar way you would do it with NSUserDefaults.

[indrajitsinh]

I was receiving this error in iOS 10 I did as @lfaoro suggested and I am no longer seeing it.

[haaakon]

I'm struggling to find a sulotion to this when using Keychain in Unit tests. Anyone have any tips?

[petrdvorak]

Guys, a little tiny note - are you sure you want to have "Keychain Sharing" feature on? For my project (related to security element of mobile banking) this is strongly undesired...

[tolkiana]

@petrdvorak that's a good point. I found in this thread that just having the entitlements is good enough (if you have at least one of the other capabilities). I just tested, created the entitlements for the Keychain Sharing, then turn it off and then turn on another capability like iCloud for example and still works! I know this is not ideal but I thought maybe is useful for somebody.

[tolkiana]

For those having problems with Frameworks, the only way I was able to workaround this was by creating a host App. I added a new target, enabled Keychain Sharing in capabilities and then in the test target I selected the Host Application, no need to add the test files to that target:

[1b0t]

If somebody is getting here desperately trying to get it to work without enabling Keychain Sharing. Just omit the accessGroup parameter when creating the Keychain object.

Explicitly passing my bundle id, then creating the entitlements file and adding the code signing entitlements always turned on Keychain sharing automatically. Turning it off again results in Xcode wiping these settings resulting in a deadlocking cycle.

Update: this seems to only work on a device and not in the simulator.

Update #2:
According to this thread it seems to be an Xcode bug related to code signing.

[ovidiomanteiga]

This error also occurs in a project I am currently working on.

Error

OSStatus error:[-34018] Internal error when a required entitlement isn't present, client has neither application-identifier nor keychain-access-groups entitlements.

NOTE: The error appears on Xcode console. The app does not crash.

Facts

1. Xcode version is 8.0 (8A218a).
2. Our project uses Swift version 2.3.
3. Our project uses the version 2.4.0 of this library (https://github.com/kishikawakatsumi/KeychainAccess)
4. The error occurs while running the app in an iOS 10 simulator instance.
5. The error does not occur while running the app in an iOS 9.3 simulator instance.
6. The error occurs either the Keychain instance is created without any arguments or setting just the "storeService" parameter.
7. The error does not occur if the keychain-access-group entitlement is set for the target.
8. The error occurs if the entitlements file is set but empty.
9. The error DOES NOT OCCUR while running the app on an iPhone with iOS 10!!!

Hypothesis

iOS 10 simulator or Xcode bug. 😞 (Even maybe a regression bug...)

Related

• https://forums.developer.apple.com/thread/62847 points to the bug hypothesis.

[biku]

if you use .synchronizable(true) try turning iCloud in Capabilities tab and selecting Services: CloudKit

For me, everything worked fine on simulator. If keychain-access-group entitlement is configured, everything works, remove it and it fails. That until I put it on a device.
After debugging it for hours, reading Apple's thread on devforums I arrived at a conclusion, that iCloud enabling the keychain with .synchronizable(true) is ignored in simulator, but not on device.
After turning iCloud in Capabilities tab and selecting Services: CloudKit, it started working. Turned it off and it still works. It appears that turning it on, allowed the keychain to be reset somehow.

Repeated the same on two different iOS10 devices with the same result -> initial crash with -34018 error. Turning iCloud entitlement on and it goes away, after which iCloud can be turned off.

[x4080]

Here's my experience with it :

• Background : Xcode 8, iOS 10 simulator, iPhone iOS 9.3.3, iPhone iOS 8, free developer certificate (6days limit)
• keychain sharing : on
• simple code : (on button click)

        let keychain = Keychain(service: "somewhere")
        keychain["kishikawakatsumi"] = "works"
        let token = keychain["kishikawakatsumi"]
        print(token)
        label.text=token

Result :

• iOS simulator : works
• iPhone iOS 8 : works
• iPhone iOS 9.3.3 : works only when running from xcode, not working if the same app is running from device

Is it because of the free developer certificate in iOS 9 that cannot open key chain ? If so why it can work when running from Xcode

Maybe it can help somehow

[thebluepotato]

@kishikawakatsumi From the Xcode 8.1 GM release notes :

Known Issues - Simulator
Keychain APIs may fail to work in the Simulator if your entitlements file doesn’t contain a value for the application-identifier entitlement. (28338972)
Workaround: Add a user-defined build setting to your target named ENTITLEMENTS_REQUIRED and set the value to YES. This will cause Xcode to automatically insert an application-identifier entitlement when building.

[ovidiomanteiga]

@thebluepotato Although "Xcode 8.1 Release Notes" say exactly the same, I could not make it work yet using Xcode Version 8.1 (8B62)...

[hons82]

@tolkiana thanks a lot. I did both mocking for unit tests and sample app for graphical testing.

I'm using an enterprise profile, and I didn't need an entitlements file for devices running iOS 9 and 10. The only place I need that file is when I run it on simulator. There I need to switch on keychain sharing

[thebluepotato]

@kishikawakatsumi From the Xcode 8.2 beta release notes :

Resolved in Xcode 8.2 beta - IDE
Keychain APIs work correctly in Simulator. (28338972)

[etayluz]

@thebluepotato have you tried this yet on Xcode 8.2 beta and confirmed that the issue has been resolved?

[gothedistance]

I encounter same issue yesterday. Probably, it is a simulator bug on XCode8.1.

On my Xcode, when using iOS 10 Device Simualtors(iPhoneSE / iPhone7), this error always shows on console, but does NOT show any errors on using iOS9.x one.

Here's my code. this works fine with iOS9.x Simualtors, iPhone6s(iOS9.3), iPad Pro(iOS10.1)

    let keychain = Keychain(service: "MY SERVICE ID")
    keychain["auth_token"] = token

My Background as below. license type may not affect on this error.

• XCode8.1/ Swift3
• Keychain sharing OFF
• install this library via carthage.
• Deployment target 9.0
• Apple Developer Program / Entity Type:Company / Organization

[forsan]

Same issue here when I use accessGroup and run in real device.

• Xcode 8.1.
• iPhone 6 plus.
• Swift 2.3

I solved it by:
First I Turn on the Keychain Sharing capability.

Then adding "App ID prefix" AB123CDE45.example like this
let keychain = Keychain(service: "name", accessGroup: "AB123CDE45.example")

Source: http://evgenii.com/blog/sharing-keychain-in-ios/

[haashem]

I have enabled keychain sharing. but problem is some times keychain works. and some times can't fetch from from keychain and throws error: "Internal error when a required entitlement isn't present, client has neither application-identifier nor keychain-access-groups entitlements."

does anyone have any idea?

[ovidiomanteiga]

I have already tried and it worked on Xcode 8.2 (8C38)❗️

[haashem]

I figured it out. my keychain was corrupted. I think because my device is jailbroken

[kishikawakatsumi]

I believe it was fixed by Xcode 8.2

[yuanjilee]

if anyone only crash with accessGroup, @forsan give the true answer!

or you can see directly: http://evgenii.com/blog/sharing-keychain-in-ios/

[8secz-johndpope]

probably spent 10 more minutes on this than necessary
http://evgenii.com/blog/sharing-keychain-in-ios/

Keychain(service: "com.8secondz.ios.token", accessGroup: "AB123DE123.8secondz")
this solved the day.

perhaps it would be clearer with a helper to spoon feed clarity
Keychain(service: "com.8secondz.ios.token", appIdentifier: "48K8QNQU37", groupIdentifier:"8secondz")

[520]

Interface of Xcode is a little bit changed in version 11.6. It looks like this. In my case, I use keychain in my watch. I need to add capability of Keychain sharing to watchkit extension and add a group name and fill it into aceessGroup: "Your-App-ID.Your-Group-Name"