iOS Keychain access and Provisioning Profiles - ios

Just came across this on apple Keychain Services Concepts
Note: On iPhone, Keychain rights depend on the provisioning profile
used to sign your application. Be sure to consistently use the same
provisioning profile across different versions of your application.
I also know that provisioning profiles can change for many reasons, including adding a new functionality like push notification, adding watch support, or even adding a new team member.
Now am I correct to assume that whenever above changes occur, new versions of my app will no longer be able to access keychain items that were created with previous versions?
Thanks!

I don't think your assumption is right. The Keychain Acces only depends on the bundle identifier of your application and the profile which was first used to create the app. If it would depend of your code-provisioning profiles changes, indeed what you said would be correct, but if so, the bussinesses and the enterprises would be totally unable to develop updates for their applications, which would have also included the old info stored in the Keychain. That's because in a bussiness, people come and leave often!
Note: On iPhone, Keychain rights depend on the provisioning profile used to sign your application. Be sure to consistently use the same provisioning profile across different versions of your application.
You can add a team member, configure a push notification services and so on, as long as the provisioning profile stays the same.
Note: If you change the provisioning profile just to add a team member, yes, your assumption is right, but it just isn't the best way of doing this. Rather, I recommend reading this tutorial (on how to add a team member to a provisioning profile).

keychain directly depepds on Bundle id , if bundle id remain same then your app can acess keychain , so provisioning profile should map the same bundle id if app needs to acccess keychain.

Related

Xcode Signing - Failed to create provisioning

Here's the story:
I created a free developer account to build an app for a client.
I used this info for the Identity and Signing:
It came time to upload the app to TestFlight and to use the client's developer account.
I created the account in xcode using their apple id and updated the signing like so:
But now I got this error.
It was clear, so I updated the Bundle Identifier to this:
But again, now I am getting a different error, and I don't know what to do.
I do not have an iOS device to register, nor do I care to get one, since I'm not doing the testing - they are.
I did create an app in the App Store Connect, and it is set up like so:
As you can see I created it to match the Bundle ID from before and still no luck.
Any help is greatly appreciated. I just want to be able to get my Xcode project onto TestFlight using someone else's developer account (with their consent of course).
It needs to have at least one iOS device registered in order to create the development profile. Ask your client for the UDID of one of their devices and add that manually to the developer portal. If they don't have one handy, feel free to use: f978c5f2e861f71b340125a4fa8d130a6254a0b3 which will work.
Alternatively, switch to manual signing and do everything manually. That's my preferred method, but some say Xcode is finally good at managing profiles etc for you.
The only way to do this without a device is to turn off "Automatically manage signing" and manage everything at the Member Center.
You will need the distribution identity / certificate first. If the team already has one, you will need them to export it to you; otherwise you cannot upload.
Then register the app.
Then make a development certificate, and a distribution certificate for the app store, and download and install them.
Now you can archive and then export to the app store.

Can't able to Access Keychain After revoke distribution certificate

I am working in project which is already in Appstore submitted by different developer. Now I am trying to submit updated version of the app with different version and build number. I can't able to access previously stored keychain values.
Here is the steps I did
Revoked the old Distribution certificate created by another person and created a new one with my machine.
Regenerated Provisioning Profile which is used by previous developers
Code signed and submitted to App Store
Downloading old build from App Store
Installing the updated build from test flight
Now I can't able to access keychain values already stored.
Now what can I do to retrieve the old keychain value? I have also checked the team ID for Keychain group access it is same as old one. Is there any way I can retrieve the old keychain values.
Here is brief answer which may help you to resolve your issue :
keychain group which is tied your team identifier. So, basically,
access to keychain after app updates depends on distribution
certificate you use, not on the provisioning profile
So if you are saying you revoke all old certificate and the one with the new certificate ( that you created ) that access to keychain groups will be lost for this version.
Finally I got a solution from apple guides
Note: In iOS, Keychain rights depend on the provisioning profile used
to sign your application. Be sure to consistently use the same
provisioning profile across different versions of your application.
https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html

"None of your accounts are a member of XXXXX" trying to set an app group

I've developed an app for a customer who has their own Apple account and profiles etc.
They have given me their development profiles and dev keychain certificate and want me to deliver the app to them signed with their dev profiles which they will then replace with app store distribution profiles.
I'm having a problem adding an app group to the capabilities. When I click on the + button to add an app group I get the following error:
This is the signing settings. When their developer provisioning profile was imported as the signing profile XCode set the Team to "Unknown Name (XXXXX)" so it must have pulled that team name from the profile.
In XCode's accounts I only have my own Apple IDs added, I don't have their Apple ID added (its not possible to without knowing their password though?, something I won't get). I presume this might be why I am getting that error code?
Is there anyway of adding the group id to the project without having to add their Apple ID to XCode's account section?
They have given me their development profiles and dev keychain certificate and want me to deliver the app to them signed with their dev profiles which they will then replace with app store distribution profiles
That whole approach is mistaken (as you now know). They have two choices:
You can just develop the app under your own banner, making all your own profiles as needed, and they can make all the necessary substitutions and other changes at their end when they have the code. Or:
They must make you formally a member of their team (e.g. an Admin), at least while you're working on the app.

Keychain access in iOS and provisioning profiles

I started to read the Keychain Services Programming Guide and in the Keychain Services Concepts there is a note:
On iPhone, Keychain rights depend on the provisioning profile used to sign your application. Be sure to consistently use the same provisioning profile across different versions of your application.
I don't understand this note... what if for example I need a build for adHoc deployment and I need to later edit the provisioning profile to add more devices? Or if I sometimes build the app for adHoc deployment with its appropriate adHoc provisioning profile, and another times I build it to use TestFlight with its provisioning profile for the App Store?
Thanks
I don't think that's true, I regenerate my provisioning profiles every year and haven't lost keychain access.
What exactly constitutes keychain "identity" is hard to pin down.
QA1726 seems to imply that your keychain access is based on BundleID Prefix/Team ID plus bundle ID. Although bundle IDs are allowed to differ if you use the keychain-access-groups entitlement.
I would also hazard that provisioning profile type now comes into play.
e.g. once upon a time I could read the keychain of the AppStore version of our app from an Ad Hoc version of the app, but not a dev version, but that seemed to stop working around iOS 7.
I hope somebody can contribute some slightly less conjectural information.
it says about the every year the profile expired and updated with new one.this should be same. see here, more here

Wildcard provisioning profiles conflict in Xcode with multiple Apple IDs

I have several accounts configured in Xcode under Preferences/Accounts and I use Xcode to generate certificates.
It generated a wildcard provisioning profile for all the accounts I have, with the name iOS Team Provisioning Profile: * but I can't find a way to choose which client's wildcard profile do I want to use because I have different certificates for all of them and I'd like to use the appropriate profile with the right account for each client. Now I only see the one that was last updated.
Does anybody know how to solve this?
If you have some 3rd party plugins or any other tricks/hacks I'd more than love to hear those.
No I don't think you can do anything about this, Its happening to me too, Xcode takes the WildCard ID of the Last updated Account which you add, If you want to use a Specific account to sign your app with you would have to use the developing Profile corresponding to your bundle ID, which are generated by Xcode automatically

Resources