Hello,
I would like to have MSAL login fully working in a Developer ID signed macOS application.
I am using the following library for adding MSAL support to my macOS app : https://github.com/AzureAD/microsoft-authentication-library-for-objc .
The MSAL login (even silent login via the MSAL broker) works fully via my company Entra ID when I run and test my local dev build.
But : when I build and sign and notarize my application with a company Developer ID signature, the login fails, and I see keychain access related issues in the MSAL library log entries.
The MSAL library requires the following keychain access groups to be enabled : <string>$(AppIdentifierPrefix)com.company.app.bundle.id</string> <string>$(AppIdentifierPrefix)com.microsoft.identity.universalstorage</string>
The above requirement is confirmed under these links: https://learn.microsoft.com/en-us/entra/msal/objc/howto-v2-keychain-objc?tabs=objc and also their sample app : https://github.com/AzureAD/microsoft-authentication-library-for-objc/blob/410256714ee0489d212c0cbd8772259a69e7d862/MSAL/test/app/mac/MSALMacTestApp.entitlements#L18
The problem seems to be that such keychain access groups access cannot be configured for Developer ID signed applications.
Would it be possible to enable such Keychain Access groups somehow for a Developer ID signed application?
Thank you for any help in advance!
DevForums is primarily focused on Apple APIs and tools, so I can’t offer specific help with this issue. It’s possible that another third-party developer has seen this before and can help you. If not, I recommend that you seek help via the support channel for the library you’re using.
However, I can address this:
The problem seems to be that such keychain access groups access cannot be configured for Developer ID signed applications.
There’s a bunch to unpack here. First up, macOS has multiple keychain implementations. For the details, see TN3137 On Mac keychain APIs and implementations. Keychain access groups imply that you’re using the data protection keychain.
Second, the data protection keychain is available to directly distributed programs that use Developer ID signing. See the intersection of the Keychain Sharing row and the Developer ID column in the table in Developer Account Help > Reference > Supported capabilities (macOS).
Third, that access must be authorised by a provisioning profile. If you’re building an app, or an app-like thing such as an app extension, that’s not a problem. Xcode takes care of all the details. If you’re building a standalone executable, like a command-line tool or a daemon, you have to jump through some hoops. See Signing a daemon with a restricted entitlement. And for more on provisioning profiles in general, see TN3125 Inside Code Signing: Provisioning Profiles.
Finally, keychain access groups must be prefixed by your Team ID [1]. This means that you can only share keychain items with other programs from the same team [2].
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Technically it’s your App ID prefix, but I strongly recommend that folks switch from using a unique App ID prefix to their Team ID as their App ID prefix. If you’re using a unique App ID prefix, lemme know and we can talk about your options.
[2] You can also use an iOS-style app group as a keychain access group, but iOS-style app groups are always associated with a specific team. For more on that, see App Groups: macOS vs iOS: Working Towards Harmony.