iOS:已退出的应用无法通过安全API访问钥匙串
[英]iOS: Resigned app cannot access keychain through security API
问题描述
We have an app we are writing for a customer. 
我们正在为客户撰写应用程序。 We compile the app and deliver an IPA to the customer, who then resigns the app using their provisioning profiles and keys. 我们编译应用程序并向客户提供IPA,然后客户使用其配置文件和密钥重新授予应用程序。
The app works fine until the customer resigns it. 该应用程序正常工作,直到客户辞职。 Then it fails when accessing the keychain. 然后在访问钥匙串时失败。 We get messages in the device console like this: 我们在设备控制台中收到消息,如下所示:
... SecItemAdd: missing entitlement
... SecItemCopyMatching: missing entitlement
Logging the return codes we are getting -25308 "Interaction with the Security Server is not allowed" from all SecItem* calls. 记录我们收到的返回码-25308“所有SecItem *调用中都不允许与安全管理服务器进行交互”。
I've not been able to find anyone with this same problem and a solution. 我找不到任何有同样问题和解决方案的人。
Both the initial builds and subsequent code signings work and the app runs until it tries to access the keychain. 初始构建和后续代码签名都有效,应用程序一直运行,直到它尝试访问钥匙串。 When resigning the customer is specifying the same app id we originally built it with. 在辞职时,客户指定了我们最初使用的相同应用ID。 I've added and entitlements file as well. 我也添加了和权利文件。
I have noticed that the app id used in the provisioning profile the customer is using is different to the id in the app. 我注意到客户使用的配置文件中使用的应用程序ID与应用程序中的ID不同。 However the resigning works and the apps runs so I'm assuming at this point it's not an issue. 然而,辞职的工作和应用程序运行所以我在这一点上假设它不是一个问题。
So far no luck. 到目前为止没有运气。
Has anyone had this problem and solved it? 有人有这个问题并解决了吗?
1 个解决方案
解决方案1
6 2013-08-16 06:04:26
Thanks @borrrden for the replies. 感谢@borrrden的回复。 They gave me some good pointers. 他们给了我一些好的指示。
I eventually got it all working. 我最终把它全部搞定了。 Here is what I found. 这是我发现的。
Wildcard ids are fine.
通配符ids很好。 I had no problem using a wild card id and accessing the keychain. 我使用外卡ID并访问钥匙串没有问题。 The problem was that the XCode creates a set of entitlements dynamically based on the ids that it knows about at compile time.
问题是XCode根据它在编译时知道的id动态创建一组权利。 When the resigning occurred the provisioning profile contain an app id which the generated entitlements did not match. 发生重新签名时,配置文件包含一个应用程序ID,生成的权利不匹配。 Therefore iOS would not allow access. 因此iOS不允许访问。 To Solve this I created an entitlements file which I got the client to specify as part of the codesign arguments.
为了解决这个问题,我创建了一个权利文件,我让客户端指定为codesign参数的一部分。 This entitlements contained a key chain access group that matches the new app id in the provisioning profile. 此权利包含与配置文件中的新应用程序ID匹配的密钥链访问组。 I also had to add the correct team id to the front of the access group. 我还必须在访问组的前面添加正确的团队ID。 Normally XCode auto-inserts this. 通常XCode会自动插入。 Data protection also had nothing to do with the issue.
数据保护也与此问题无关。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.