The wwdc session mentioned that attestation keys survive app updates but not reinstalls. So it seems like if I try to create an assertion after reinstall from the key I pull from keychain, and include that assertion in my API payload to my backend, my backend will reject the assertion. Is there any mechanism for us to ask the client framework "is this key still valid"?
Thanks again, Lou
Hi Lou:
So it seems like if I try to create an assertion after reinstall from the key I pull from keychain, and include that assertion in my API payload to my backend, my backend will reject the assertion.
Following re-install, the key will no longer exist in App Attests' book keeping, so when assertion is attempted, it will fail with an error code. Thus, there will be no assertion for your app to send to your server.
Is there any mechanism for us to ask the client framework "is this key still valid"?
Calling the attestation or assertion API directly, with the key you think exists, is the best way for now :). That should be your signal to rotate the key if you are unable to attest/assert with it.
