Hi, We are trying to use Apple Security API for KeyChain Services.
Using the common App Group : Specifying the common app group in the "kSecAttrAccessGroup" field of the KeyChain query, allowed us to have a shared keychains for different apps (targets) in the app group, but this did not work for extensions. Enabling the KeyChain Sharing capability : We enabled the KeyChain Sharing Ability in the extensions and the app target as well, giving a common KeyChain Access group. Specifying this in the kSecAttrAccessGroup field also did not work. This was done in XCode as we were unable to locate it in the Developer portal in Indentifiers.
We tried specifying "$AppIdentifier.KeyChainSharingGroup" in the kSecAttrAccessGroup field , but this did not work as well The error code which we get in all these 3 cases when trying to access the Keychain from the extension is error code 25291 (errSecNotAvailable). The Documentation says this error comes when "No Trust Results are available" and printing the error in xcode using the status says "No keychain is available.
The online Documentation says that it is possible to share keychain with extensions, but by far we are unable to do it with the methods suggested.
Do we need any special entitlement for this or is there something we are missing while using these APIs?
We really appreciate any and all help in solving this issue!
Thank you
our earlier “Network Extension” tag was a mistake.
And presumably so was the reply you posted about 10 hours before this one |-:
Anyway, the behaviour you’ve described doesn’t gel with Network Extension at all, so I’ve re-tagged your thread accordingly.
When dealing with keychain sharing, there are two factors in play:
- Build time
- Run time
I’m gonna focus on the build-time stuff, because a) that’s where you seem to be stuck, and b) I’m not familiar with Matter extensions and there could be run-time restrictions I’m not familiar with.
So, regarding your build, you wrote:
Could you enable Keychain Sharing for these iOS App IDs … ?
There’s nothing for us to enable here. Every App ID supports keychain sharing [1].
To illustrate this:
- I using Xcode 26.1 to create a new test project from the iOS > App template.
- Within that, I created a new iOS > Matter Extension target.
- In Signing & Capabilities, I add the Keychain Sharing capability to both.
- And entered
Test809012.sharedinto the list of keychain access groups. - I built the app (for the device, not for the simulator).
I then started digging into the built product. First, here are the entitlements claimed:
% codesign -d --entitlements - Test809012.app
…
[Dict]
[Key] application-identifier
[Value]
[String] SKMME9E2Y8.com.example.apple-samplecode.Test809012
…
[Value]
[Array]
[String] SKMME9E2Y8.Test809012.shared
% codesign -d --entitlements - Test809012.app/PlugIns/NotEnergy.appex
…
[Dict]
[Key] application-identifier
[Value]
[String] SKMME9E2Y8.com.example.apple-samplecode.Test809012.NotEnergy
…
[Key] keychain-access-groups
[Value]
[Array]
[String] SKMME9E2Y8.Test809012.shared
That is, both the app and the appex claim access to the SKMME9E2Y8.Test809012.shared.
And here are the entitlements authorised by the profile:
% security cms -D -i Test809012.app/embedded.mobileprovision | plutil -p -
{
…
"Entitlements" => {
"application-identifier" => "SKMME9E2Y8.com.example.apple-samplecode.*"
…
"keychain-access-groups" => [
0 => "SKMME9E2Y8.*"
1 => "com.apple.token"
]
}
…
}
% security cms -D -i Test809012.app/PlugIns/NotEnergy.appex/embedded.mobileprovision | plutil -p -
{
…
"Entitlements" => {
"application-identifier" => "SKMME9E2Y8.com.example.apple-samplecode.*"
…
"keychain-access-groups" => [
0 => "SKMME9E2Y8.*"
1 => "com.apple.token"
]
}
…
}
In both cases the profiles authorise SKMME9E2Y8.*. This wildcard syntax allows the app to claim access to any keychain access group starting with SKMME9E2Y8., and that includes the SKMME9E2Y8.Test809012.shared group that the programs claim.
Note The com.apple.token value is always present; it’s needed for iOS apps to access token-based credentials. Also, the above shows that Xcode chose to use my wildcard App ID, SKMME9E2Y8.com.example.apple-samplecode.*, rather than an explicit App ID. That’s because neither the app nor the appex claim any entitlements that require an explicit App ID.
AFAICT your team has two App IDs registered:
S________S.c__.M_____.I________for the appS________S.c__.M_____.I________.____________________for the appex
Both of these support keychain sharing straight out of the box.
the “Keychain Sharing” toggle never appears for either App ID in the portal.
Right. That’s normal. The Developer website shows no UI for this capability because it’s always enabled for all App IDs [1]. The only reason Xcode shows it in Signing & Capabilities is so that you can configure the list of keychain access groups that you claim.
I recommend that you re-test this based on the explanation above. First try this in your app, making sure that you’re able to read and write the keychain access group that you claim. Then repeat the process for your Matter extension, to see if you run into any issues on that side of the fence.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Well, almost. This does include both explicit and wildcard App IDs, but it doesn’t include App IDs with a unique App ID prefix. Those are effectively deprecated and I’ve confirmed that they’re not involved here.