keychain and codesigning local dev

Question

Created Mar ’25

Replies 2

Boosts 0

Participants 2

Trying to play around with Secure Enclave Protected keychain operations in a Tauri-based MacOS app and running into issues.

After much digging and trial and error, here is my understanding and where I'm at:

To access these keychain related APIs, the app must be codesigned, and have the following entitlements:

<key>com.apple.application-identifier</key>
    <string>XXXXXXXXXX.com.myorg.myapp</string>
    <key>com.apple.developer.team-identifier</key>
    <string>XXXXXXXXXX</string>
    <key>keychain-access-groups</key>
    <array>
        <string>XXXXXXXXXX.*</string>
    </array>

Currently using a Development cert, generated from Xcode, not a paid account
I had to install the intermediate cert from https://www.apple.com/certificateauthority/
XXXXXXXXXX is the "Team ID", which can be found on my Development cert under Details > "Organizational Unit"
If I build the app and run it (without signing) I get code 34018
If I sign the app and try to run it, I am no longer able to boot it, with error:

The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed." UserInfo={NSLocalizedFailureReason=Launch failed., NSUnderlyingError=0x12a60a130 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153" UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

Not quite sure what is missing - any help is much appreciated.

Answered by DTS Engineer in 830135022

Seemingly no way to generate one of these without paying for an apple developer account

Well, not by hand, but you can generate them using Xcode and I don’t see any reason why you couldn’t use an Xcode generated one outside of Xcode.

I was able to launch the application, but was getting a blank screen.

Right. That’s not a failure mode associated with the trust execution system. If the trusted execution system was grumpy with your app, it’d prevent it from launching. Your first post showed an example of that.

I’m not sure why you’re seeing that, but it’s most likely something related to your third-party UI toolkit.

ps If you’re signing code by hand, see the advice in Creating distribution-signed code for macOS. That focuses on distribution signing, but the same general process works for development signing.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

theoephraim OP

Mar ’25

More digging and I believe I understand now that I also need a provisioning profile that must be embedded in the app.

Seemingly no way to generate one of these without paying for an apple developer account, although I tried copying an XCode generated one for an xcode managed app with the same bundle id and entitlements into the bundle to see if that works. I was able to launch the application, but was getting a blank screen.

0

Answer 2

DTS Engineer OP

Apple