Hi Miguel, On Wed, Sep 22, 2021 at 8:54 PM Miguel Arroz <[email protected]> wrote: > If I understand correctly, this ends up being "group.$(APP_ID_IOS)”. I’m a > bit surprised this doesn’t need the Team ID before “group”, as it definitely > needs that in macOS.
Indeed it's prefixed with the team on macOS, but IIRC that never worked on iOS. > - The openReference() function, because it’s not setting the same > kSecAttrAccessGroup parameter when reading. The documentation mentions what > happens when it’s not set > (https://developer.apple.com/documentation/security/ksecattraccessgroup), I > wonder if that changed (intentionally or due to a bug in iOS 15): > > > If you don’t explicitly set a group, keychain services defaults to the > > app’s first access group, which is either the first keychain access group, > > or the app ID when the app has no keychain groups. For setting, but for reading/updating, that page says: > By default, the SecItemUpdate, SecItemDelete, and SecItemCopyMatching > methods search all the app’s access groups. Add the kSecAttrAccessGroup > attribute to the query to limit the search to a particular group. So in theory, it should be fine to omit that in openReference(). Adding it in there also doesn't cause any changes, unfortunately. > None of these explain why the tunnel keeps working after upgrading to iOS > 15 (if the on-demand flag is set Oh, I didn't realize that was happening. Are you *sure* about that? Is the tunnel actually working? Or is it on, but crashing? When I go to enable the tunnel from the system preferences view of it, it starts and then stops, indicating the network extension couldn't open the keychain ref either. And in the log, I see the [NET] process indeed failing in the same spot as the [APP] process. Jason
