I notice when I enable Keychain Sharing in Xcode for my iOS app Xcode says it will "Add the Keychain Sharing entitlement to your App ID", and it does appear to connect to my account because I get a popup asking which developer account to use. However on the dev portal there's no visible change to any of my App IDs, and my provisioning profile isn't invalidated like it sometimes is when I change an app's entitlements. Keychain Sharing isn't a visible option to enable/disable in the App ID, either.
Does anyone know what Xcode is doing under the covers here? The local change to the entitlements file is obvious, but I'd like to understand the App ID side of it.
Keychain sharing is used when we want to share some data securely between two or more applications from the same developer. Suppose we want to share some critical data(like username and password) between two apps.
In Xcode, go to Project settings > Capabilities. Enable Keychain Sharing. Add a keychain group identifier. Use the same identifier for all of the apps you want to share state.
Keychain: The keychain is a secure and encrypted storage place for sensitive data. You can think of it is a database of sensitive information. Keychain Item: This is a registry in the keychain. Item Class: You can think of a class as a template of information you want to store.
Everything stored in iCloud Keychain is secure—it's protected by industry-standard encryption. Your iCloud Keychain can't be set up on another Mac or iOS or iPadOS device unless you approve it.
Every keychain item in iOS contains an attribute called the keychain access group. An iOS app can only access those keychain items it has permission to. This permission comes from the code signing entitlements stamped into the app when it is signed.
By default, an app can only access keychain items with the keychain access group matching the application-identifier code signing entitlement. However, if a developer wants to share keychain items amongst their apps, they can add a custom keychain-access-groups code signing entitlement that specifies an array of keychain access groups that the app can access.
Normally one creates keychain items without setting the access group attribute kSecAttrAccessGroup. In that case, Keychain Services will automatically set that attribute to the default value. If there is no keychain-access-groups entitlement, the default is the value of the application-identifier entitlement. Otherwise the default is the value of the first array element in the keychain-access-groups entitlement.
When using the Xcode Capabilities editor on the target settings pane to turn on Keychain Sharing, Xcode will add the required App ID Prefix (Team ID) to the front of any listed Keychain Group items at build time. You can see that in the generated entitlements file represented by the build setting $(AppIdentifierPrefix).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With