Testing the Keychain - OSStatus error -34018

Question

I'm trying to test code that reads and alters the keychain using the basic SenTest framework on Xcode. The code works fine on device, but when I start the test I get these errors every time I want to touch the keychain with SecItemDelete/SecItemAdd/etc.

The operation couldn’t be completed. (OSStatus error -34018 - client has neither application-identifier nor keychain-access-groups entitlements)

I have matching wildcard provisioning profiles (iOS Team Provisioning Profile: *) for both the build target and the test target.

These (unconfirmed) stack overflow answers:

Read from keychain results in errSecItemNotFound 25300

say that I need a provisioning profile matching my app identifier every time I use the keychain, but that can't be right, or I'd get the same errors outside of the test target.

Digging deeper, the (unconfirmed) answers here:

SecItemAdd and SecItemCopyMatching returns error code -34018 (errSecMissingEntitlement)

imply that there might be a bug within keychain and more generally Security.framework, which is frankly terrifying.

My question is; has anyone hit OSStatus error -34018 only when they were on a test-target? That appears to be the behavior I am seeing.

EDIT: Adding this answer that JorgeDeCorte used in his answer below.

This thread seems to contain the solution if the problem exits in your unit-test target.

https://devforums.apple.com/message/917498#917498

Basically you have to codesign your .xcttest folder by adding the following as a run script in your test target.

codesign --verify --force --sign "$CODE_SIGN_IDENTITY" "$CODESIGNING_FOLDER_PATH"

I got a lot of -34018 errors when testing my keychain on the device and this managed to fix it.

If the problem does not exist in your test target this is probably not the solution.

So I guess the solution is: force sign your test target.

Answer 1

To answer your question: Yes, I experience the same problem. It seems to work fine when running my app. But when I run my XCTests on my device it seems that the keychain returns error -34018. The strange thing is that it doesn't happen when I run the tests on the simulator.

EDIT: I found a solution which I have explained in this answer

Answer 2

I got this error when attempting to run keychain operations via Grand Central Dispatch. Find a way to instantiate your keychain (or keychain wrapper) on the main thread.

//results in code -34018
   static dispatch_once_t token;
    dispatch_once(&token, ^{
        keychain = [[KeychainWrapper alloc] init];

    });

//works fine
keychain = [[KeychainWrapper alloc] init];

Answer 3

Codesigning a .xctest bundle isn't as easy as it sounds in some cases. Principally JorgeDeCorte is right with his answer that the given short line as a Run Script is enough for most of the devs.

codesign --verify --force --sign "$CODE_SIGN_IDENTITY" "$CODESIGNING_FOLDER_PATH"

But when you have multiple certificates in your keychain this will fail with the following line

iPhone Developer: ambiguous (matches "iPhone Developer: Your Name (ABC123DEF45)" and "iPhone Developer: Your Name (123ABC456DE)"

A solution to get the right certificate even with multiple ones is this short script. For sure this is not ideal, but as of my knowledge you have no chance to get the certificate that Xcode found and uses for signing your .app.

echo "codesign --verify --force --sign \"$CODE_SIGN_IDENTITY\" \"$CODESIGNING_FOLDER_PATH\""
IDENTITIES=`security find-identity -v -s "Code Signing" | grep "iPhone Developer" | awk '{ print $2 }'`

for SHA in $IDENTITIES; do
    codesign --verify --force --sign $SHA "$CODESIGNING_FOLDER_PATH"
    if [ $? -eq 0 ]; then
        echo "Matching identity found: $SHA"
        exit 0
    fi
done;

exit 1

Answer 4

I also got the "OSStatus error -34018". I solved it by recreating my provisioning profile.