Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Secure storage crashes with: "A required entitlement isn't present" on MacOS #804

Open
KonstantinRr opened this issue Oct 11, 2024 · 9 comments

Comments

@KonstantinRr
Copy link

secure storage crashes with the message on MacOS:

PlatformException(Unexpected security result code, Code: -34018, Message: A required entitlement isn't present., -34018, null)

It works fine in debug mode so it's likely an issue with the release entitlements. I followed the guide and added the keychain-access-groups in the macos/Runner/Release.entitlements and DebugProfile.entitlements:

	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)com.company.myapp.basis-keychain</string>
	</array>

I'm then initialising secureStorage with:

const secureStorage = FlutterSecureStorage(
  mOptions: MacOsOptions(groupId: 'basis-keychain'),
);

When I then call the following I get the PlatformException.

secureStorage.write(key: 'some_key', value: 'some_value');

What could be the issue?

Thanks!

Environment:
MacOS 15.0.1

Flutter doctor:

[!] Flutter (Channel stable, 3.24.3, on macOS 15.0.1 24A348 darwin-arm64, locale en-GB)
    • Flutter version 3.24.3 on channel stable at /opt/flutter
    ! Warning: `dart` on your path resolves to /opt/homebrew/Cellar/dart/3.5.3/libexec/bin/dart, which is not inside your current Flutter SDK checkout at /opt/flutter. Consider adding /opt/flutter/bin to the front of your
      path.
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision 2663184aa7 (4 weeks ago), 2024-09-11 16:27:48 -0500
    • Engine revision 36335019a8
    • Dart version 3.5.3
    • DevTools version 2.37.3
    • If those were intentional, you can disregard the above warnings; however it is recommended to use "git" directly to perform update checks and upgrades.

[✓] Android toolchain - develop for Android devices (Android SDK version 34.0.0)
    • Android SDK at /Users/konstantinrr/Library/Android/sdk
    • Platform android-34, build-tools 34.0.0
    • ANDROID_HOME = /Users/konstantinrr/Library/Android/sdk
    • Java binary at: /Applications/Android Studio.app/Contents/jbr/Contents/Home/bin/java
    • Java version OpenJDK Runtime Environment (build 17.0.10+0-17.0.10b1087.21-11572160)
    • All Android licenses accepted.

[✓] Xcode - develop for iOS and macOS (Xcode 16.0)
    • Xcode at /Applications/Xcode.app/Contents/Developer
    • Build 16A242d
    • CocoaPods version 1.15.2

[✓] Chrome - develop for the web
    • Chrome at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome

[✓] Android Studio (version 2023.3)
    • Android Studio at /Applications/Android Studio.app/Contents
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 17.0.10+0-17.0.10b1087.21-11572160)

[✓] VS Code (version 1.83.1)
    • VS Code at /Applications/Visual Studio Code.app/Contents
    • Flutter extension version 3.98.0

[✓] Connected device (4 available)
    • iPhone (mobile)                 • 00008101-001E4D201145001E • ios            • iOS 18.0.1 22A3370
    • macOS (desktop)                 • macos                     • darwin-arm64   • macOS 15.0.1 24A348 darwin-arm64
    • Mac Designed for iPad (desktop) • mac-designed-for-ipad     • darwin         • macOS 15.0.1 24A348 darwin-arm64
    • Chrome (web)                    • chrome                    • web-javascript • Google Chrome 129.0.6668.91

[✓] Network resources
    • All expected network resources are available.

! Doctor found issues in 1 category.
@KonstantinRr
Copy link
Author

I also tried leaving groupId empty and not defining any keychain-access-groups as defined in the documentation here. But that also doesn't work.

@nikolaihen
Copy link

I have the exact same issue, and I've also tried to follow the documentation to a point without success. This is only an issue in release mode where the app simply crashes when trying to open it.

@milesegan
Copy link

I'm seeing this too and so far haven't been able to find a fix. It does seem to be an exception you can catch and log though so the app can keep running.

@drunisa007
Copy link

drunisa007 commented Nov 12, 2024

set "NO" in CODE_SIGN_INJECT_BASE_ENTITLEMENTS in Project Runner Build Setting.
set "--timestamp" in OTHER_CODE_SIGN_FLAGS in Project Runner Build Setting.

codesign --force --options runtime --timestamp -s 'Developer ID Application: HiMyTeam (DJ333BY)' --deep --strict --preserve-metadata=entitlements "desire path of framework or build that you want to resign " -vvv

you can check the error log when notarization your App.
`xcrun notarytool log 7d4d4c0a-65dc-4112-b2c2-686c5e0d9296 --key macos/key.p8 --key-id "keyid" --issuer "issuer_id"

Or just use Developer ID Application provision profile for release build, so that you don't need to redo the codesigning.

Follow this documentation for notarization.

@milesegan
Copy link

It looks like the --preserve-metadata=entitlements flag to codesign was the thing I was missing. Without that codesign seems to strip the entitlements from the build.

@milesegan
Copy link

Ok actually --preserve-metadata=entitlements kept the entitlements but then the app wouldn't run.

What seems to have worked is this flag: --entitlements macos/Runner/Release.entitlements.

@drunisa007
Copy link

drunisa007 commented Nov 15, 2024

Quote reply

Oh i see, when i use to build with flutter build macos --release the entitlement is already included. So --preserve-metadata=entitlements flag is used for my third party framework.

if we are resigning the whole .app contents, then yes --entitlements macos/Runner/Release.entitlements, this is the correct one.

@milesegan
Copy link

However after making this change I had some issues with getting the Sparkle update to work correctly so I'm still trying to figure out what I need to do to make that work.

@DMoscicki
Copy link

DMoscicki commented Nov 17, 2024

  1. Init your storage, something like this without options:
    FlutterSecureStorage storage = const FlutterSecureStorage();
  2. In XCode add yourself as a developer in Runner -> Signing & Capabilities -> Team
  3. Inside your project add fields to files macos/Runner/DebugProfile.entitlements and macos/Runner/Release.entitlements like this:
	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)here-is-keychain-group</string>
	</array>
Screenshot 2024-11-17 at 21 39 15

That's works for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants