square / valet Goto Github PK

Always getting this issue, I have implemented Valet in 2 of my apps for one app it works like charm as promised. But for the 2nd app every time I get the above Keychain error. I am using xcode 8. Please guide as if not worked i will have to do a lot of rework.

I even tried creating a sample also for simple reading and writing operation on Keychain, but still getting the same error.
Thanks in advance.

There are a lot of warnings in code around iOS 9.0 availabilities. e.g.:

#if ((TARGET_OS_IPHONE && __IPHONE_9_0) || (TARGET_OS_MAC && __MAC_10_11))
    if ([[self class] _iOS9OrLater] || [[self class] _macOSElCapitanOrLater]) {
        baseOptions = @{ (__bridge id)kSecUseAuthenticationUI : (__bridge id)kSecUseAuthenticationUIFail };
    } else {

Any plans on fixing those at all? Seems like can fix them easily by wrapping code inside:

if (@available(iOS 9.0, *)) {
    // ... 
}

I am using VALSecureEnclaveValet for storing some sensitive data.

My app needs to behave differently for use-case when user cancels the popup and when user disables PIN and then re-enables it.

Since VALSecureEnclaveValet's objectForKey:userPrompt: returns nil for both the cases, how do I differentiate?

kSecAttrAccount should be a String, but a developer can choose to store an NSData object there instead.

Exception:

2017-08-09 16:17:20.566 PaySDKDemo[9913:612370] -[__NSCFData isEqualToString:]: unrecognized selector sent to instance 0x6080002a0df0

Crash occurs here: https://github.com/square/Valet/blob/2.2.3/Valet/VALValet.m#L426

Code used to reproduce crash:

// Add an NSData object as the kSecAttrAccount entry
NSDictionary *keychainData = @{(id)kSecAttrService: [NSBundle mainBundle].bundleIdentifier, (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrAccount:[@"bar" dataUsingEncoding:NSUTF8StringEncoding], (id)kSecValueData:[@"foo" dataUsingEncoding:NSUTF8StringEncoding]};

// Manually add the entry above to the keychain
__unused OSStatus status = SecItemAdd((__bridge CFDictionaryRef)keychainData, NULL);

VALValet *keychain = // initialize a Valet keychain

// ** Crash **
[keychain migrateObjectsMatchingQuery:[SQLegacyKeychain migrationQueryWithService:[NSBundle mainBundle].bundleIdentifier] removeOnCompletion:YES];

@EricMuller22 @dfed

It'd be great for us to have a section highlighting the work we've done to make Valet instances thread-safe, and to recommend that adoptees don't use Valet objects on the main queue.

Credit to @AndrewSB for this suggestion!

I am storing & retrieving data using a VALSecureEnclaveValet with a Touch ID access control policy. But when I read the data out of the keychain via Valet, the user is not prompted for their fingerprint but the data is read, anyway.

Here is my implementation:

let valet = VALSecureEnclaveValet(identifier: Constants.valetIdentifier, accessControl: .touchIDAnyFingerprint)

let secretStringKey = "secret"

secureEnclaveValet.setString(secretString, forKey: "secret") 

// Expected: Touch ID prompt should be presented to user in order to read secret string
// Actual: No prompt appears, string is still read w/o any fingerprint verification
let secretString = secureEnclaveValet.string(
    forKey: "secret",  
    userPrompt: "Fingerprint required to read secret", 
    userCancelled: nil)

Am I implementing this incorrectly, or misunderstanding how this is supposed to work?

Any help is appreciated. Thank you.

Hi,

I'm currently working on a project, where I need to store some strings securely, but they cannot be backed up to iCloud. I know the synchronizable valet works across devices, but I couldn't find anywhere in the README about whether the valet is actually backed up to iCloud. So my question is basically as the subject: Is the standard VALValet backed up to iCloud?

I'm going to go through and get -real- OCD on AppleDoc style comments (@param, @return, @warning, etc. for our headers) here pretty soon.

Hello, thank you for great lib!
How can i get a persistent reference to the keychain item?

rdar://22395553 has been filed.

We're currently blocked from allowing this because we're using a tight inheritance tree, and VALSinglePromptSecureEnclaveValet's superclass rightly disallows use of allKeys and removeAllObjects.

To get around this limitation, we'll likely need to break apart the class hierarchy and use composition internally. The best time for this kind of change is likely during our transition to Swift.

For additional context, see #104 and #105.

Valet is awesome, but there doesn't appear to be a license we can use. Is Valet public domain? The License doesn't specify Square anywhere.

With touch ID now available on macOS 10.12.1 we should confirm that Valet works with it. This line indicates that we have some macOS support already, but we should verify. (I would but I'm not running 10.12 yet.)

Is it possible to change a specific VALValet's accessibility level?

For instance, let's say a VALValet had .always accessibility and now I want to make it .afterFirstUnlock.

The Apple docs say that it's possible, and there's even some sample code on StackOverflow, but is there a way to do this with Valet without having to migrate to a new VALValet with different accessibility?

Thanks.

If it does not currently, it would be nice to use this library on watchOS 2 (and update the Podspec file to declare this support). I’m happy to help do this, just putting this here to see if anyone else is already working on this.

A 'Missing Entitlements' error occurred. This is likely due to an Apple Keychain bug. As a workaround try running on a device that is not attached to a debugger.

More information: https://forums.developer.apple.com/thread/4743

Guy, I got this issue in log when saving a string token to keychain on iOS 9

valet = VALValet(identifier:"com.abc.xyz", accessibility: .WhenUnlockedThisDeviceOnly)
valet!.setString(token, forKey: "token")

Any help?

Since I'm not actually sure how to do this, help is appreciated. Otherwise I'll dig in when I get time.

This method suddenly started returning false while it working just a moment ago and I didn't make any changes. Testing with a device. The documentation says "@return NO if the keychain is not accessible." but why is it not accessible? Thanks.

Started seeing the Could not find shared access group prefix error right after upgrading to OS X El Capitan. This is while running the app from Xcode 7.0.1 on a real device (iOS 9.0.2 on iPhone 6).

It happened one time when running the app itself. Removing and rerunning the app made it go away.

Happened a second time when running my app's share extension (which accesses the shared keychain group).

Happens when Valet is calling _sharedAccessGroupPrefix in VALValet.m. Valet asserts on:

VALCheckCondition(status == errSecSuccess, nil, @"Could not find shared access group prefix.");

Any ideas?

So as some of you may know Carthage is becoming a popular tool for handling dependencies. Carthage is currently iOS 8+ exclusive due to it using frameworks.

What are your thoughts on supporting this?

My basic understanding of how this would work is by duplicating the current static library targets.

Not an issue, but rather a suggestion:

It'd be awesome if you guys (Square) made something like this for Android. It is desperately needed (SharedPreferences is not encrypted, and the "Keychain" on Android is not meant for simple key-value pairs)

Love your guys's Open Source work!

Hello,
Can Valet use a custom keychain file on Mac OS X?

Thanks!

Currently unit tests are broken in Xcode 8 due to a change in how Xcode simulates the keychain in the unit test environment. In Xcode 8, both iOS and Mac unit test targets must both be hosted in a signed app that has permissions to access the keychain.

Here's the total to-do list:

• Host iOS and Mac unit test targets in a host app
• Sign the host app with a cert that is checked into the repository
• Amend README to mention the cert and how to use it
• Figure out how to add that cert to the keychain in Travis CI using the command line
• Change Travis CI Xcode version to Xcode 8

I'll tackle this in multiple PRs

http://postimg.org/image/bkohss797/219385d9/

I have been chasing an issue when even after I log out successfully, it logs me back in the next time.
(Disclaimer this is with Xcode debugger attached)

• call removeObjectForKey which returns YES, even though VALAtomicSecItemDelete returned -34018
• immediately call object:forKey to check which as expected returns nil, even though VALAtomicSecItemCopyMatching returned -34018
  => I am assuming that the sequence properly removed the key. However it did not.

So how am I supposed to call canAccessKeychain() after each call to make sure that they actually succeeded?

We should expose whether an item was found in the objectForKey: methods in VALSecureEnclaveValet the same way we expose userCancelled:. See discussion after #67 (comment)

cc @nijindal @EricMuller22

I want VALSecureEnclaveValet to support taking arbitrary SecAccessControlCreateFlags in the initializer. Currently only kSecAccessControlUserPresence is supported.

Would be awesome to use Valet with swift package manager!

It's waiting on Swift 3 support, so it's probably something to implement after v3.0, and after support for Swift 3 is fleshed out? Not sure if that's targeted as part of v3.0

Hey there,

Calling canAccessKeychain causes securityd and the calling process to spam the device log with messages about adding duplicates.

Every time it's called it prints about 4 messages to the log.

I see that this is some sort of "optimization":

https://github.com/square/Valet/blob/master/Valet/VALValet.m#L251

But IMHO I'm not seeing the real issue in calling containsObjectForKey. It probably spends more time logging the error than it would take to check the keychain.

IMHO2: canAccessKeychain isn't really something you call often since you know after launching/being unsuspended whether you're going to have access for that entire runloop (and can take out a background task assertion if you want to stay awake).

Is there something I'm missing? :)

Hi,

I'm having some issues exporting an app that has a framework included that uses Valet. It only uses VALValet, so it shouldn't require shared keychain as far as I'm concerned. Is there anything I'm missing? Xcode says:

No matching provisioning profiles found for "App"
None of the valid provisioning profiles allowed the specified entitlements: application-identifier, keychain-access-groups.

Hello,

I am using Valet to store sensible credential, like access token for authenticate the user in my app.
When I store it, I can't retrieve it, it's always nil.

class KeychainAccessManager {
    private var valetManager: VALValet?
    private static var sharedInstance = KeychainAccessManager()

    init() {
        self.valetManager = VALValet(identifier: "app.id", accessibility: .WhenUnlocked)
    }

    static func stringForKey(key: String) -> String? {
        print("[🔐] Keychain storage get {\(key)} manager : [\(self.sharedInstance.valetManager)]")

        return self.sharedInstance.valetManager?.stringForKey(key)
    }

    static func setString(string: String, key: String) {
        print("[🔐] Keychain storage set {\(string)} {\(key)} manager : [\(self.sharedInstance.valetManager)]")
        self.sharedInstance.valetManager?.setString(string, forKey: key)
    }

    static func removeString(key: String) {
        print("[🔐] Keychain storage remove {\(key)} manager : [\(self.sharedInstance.valetManager)]")
        self.sharedInstance.valetManager?.removeObjectForKey(key)
    }
}

I use this class to wrap the storage, but when I restart the app, I check if there is a token stored on it, it's always nil, so the user currently has to log every time.

Thanks in advance.

Is there a specific reason why setObject only takes NSData?

I am seeing the following in my valet error log constantly:

29/Aug/2016:19:55:54 +0200 [ERROR 502 /server.php] Conn.Write wrote more than the declared Content-Length

I've added the following entitlement to both applications:

<key>keychain-access-groups</key>
<array>
	<string>$(AppIdentifierPrefix)sharedKeychain</string>
</array>

And I've tried the following:

iOS/app launched:

    valet = [[VALSynchronizableValet alloc] initWithSharedAccessGroupIdentifier: @"sharedKeychain"
                                                                           accessibility: VALAccessibilityWhenUnlocked];

    NSString * data = [valet stringForKey: @"key"];
    if(nil == data)
    {
        [valet setString: @"hello world" forKey: @"key"];
    }

macOS/app:

    valet = [[VALSynchronizableValet alloc] initWithSharedAccessGroupIdentifier: @"sharedKeychain"
                                                                           accessibility: VALAccessibilityWhenUnlocked];

    NSString * data = [valet stringForKey: @"key"];

    // Data is always nil?

I'm not sure why the data is coming out nil. Ive tried manually saving data on the macOS version and loading and that works fine, but I cannot seem to get the two apps to synchronize with each other. Any thoughts on what I'm doing wrong?

Prompting for TouchID using LAContext uses a completion handler on another queue. However, the direct prompt through the keychain (and Valet obviously), just seems to be a direct, synchronous call. Is that correct? Is there anything we need to be aware of here in regards to proper queue usage? What happens if the user doesn't confirm for 30 seconds? Is this blocking the main queue or not? Should I be wrapping these calls in my own asynchronous solution?

I'm using Valet component with Xamarin;
it works well and is easy to use But ...

But - it seems that data stored in Valet persists even after the application has
been deleted from the device. I have 2 apps and use the shared data feature
so each app can know the other is on the device, but that data persists even
when the app has been deleted.

Is this a bug or feature? Is there some way to have the data removed
when the application is removed?

I noticed that the dSYM is not included in the framework zip that Carthage downloads. We like to include those in the Build Products folder, so we get full backtraces. Is it possible to include it?

Hey, Do you know if its possible to use the same instance across threads ?

We have an issue where we can write but we don't get the data back when reading. However when we run this on the main queue it is okay.

It'd be good to cover what the identifier does, how the identifier and Valet types/accessibility configurations interact, and the differences between identifiers on iOS and macOS.

Shout out to @gfontenot for the suggestion

I share keychain items among 3 apps developed by me. How to remove all items in the Keychain when the last app is uninstalled?

• Rewrite Touch ID test app in Swift (to feel out pain points in the current Objective-C API)
• Migrate unit tests to Swift
• Move to Framework only builds and bump minimum iOS version to 8.0
• Use .modulemaps to move to a mixed Swift/Objective-C framework
• Swift API shim (using Objective-C implementation under the hood)
• Objective-C interop test
• Swift implementation

Can you add a method with withTimeoutInterval parameter, when it's time, call removeObjectForKey method.

Valet has two methods which match the name, but not the return type of two common methods in Cocoa.

- (BOOL)removeObjectForKey:(NSString *)key;
- (BOOL)removeAllObjects;

Foundation has 5 classes with these methods, and all of them share void return type. The difference breaks build in projects which invoke these methods on id. Xcode shows a compiler error: “Multiple methods named ‘removeObjectForKey:’ found with mismatched result, parameter type, or attributes”.

Objective-C generics help avoid the problem, and it’s trivial to modify Valet when using it in a project with conflicts. I do, however, think that Valet should avoid conflicts with established method signatures from Foundation. I understand that may not want to change this, and I just wanted to get this on your radar and find out what you think.

Thank you for the work on Valet.

We are developing an application that stores an encryption key on a VALSecureEnclaveValet protected by VALAccessControlTouchIDCurrentFingerprintSet. We want to protect the key with TouchID but we do not want to request the TouchID everytime we need the key because we use it at almost every screen of our app to decrypt the data displayed on screen. We want to request TouchID once and keep access to the key "authenticated" while our session is alive. Keeping the key in memory for a long time is not an option for us.

We have achieved the behavior we want passing a LAContext object at kSecUseAuthenticationContext at the [VALValet stringForKey:options:] options dictionary. But this is a protected method and we cannot call it without modifying your library code. Do you plan to add the possibility to pass a LAContext to [VALSecureEnclaveValet stringForKey]? Or could you suggest me a better way to implement this functionality?

Thanks

This might be a wont fix, but VALAccessibility and VALMigrationError, e.g., don't follow the standard of prefixing all enum values with the enum type itself.

That is, rather than VALAccessibleWhenUnlocked, it would be VALAccessibilityWhenUnlocked.

I can understand that the former is more readable when typed out, but it breaks the Cocoa convention and creates slightly more verbose Swift code.

Hi There,

The iPhoneX warns that TouchID is being used and asks the user if they would rather use Face ID. Are there any plans to default to FaceID on the iPhoneX to prevent this message?

Thanks,
Steve

$ dwarfdump --uuid Valet.framework/Valet 
UUID: 72092919-8C2C-37A4-9F37-79B65A8FE149 (armv7) Valet.framework/Valet
UUID: A212FAB9-F4F3-3BD7-B969-906EB663C99E (arm64) Valet.framework/Valet

It would appear that the simulator slices (x86-64 and i386) are missing. On a normal framework built by Carthage, all are present.

So I have a VALValet as such:

static let sharedValet = VALValet(identifier: Key.identifier.rawValue, accessibility: .afterFirstUnlockThisDeviceOnly)!

Most of the time it works fine. However, I'm running into rare, non-repeatable read failures for values which were stored in it (which I'm sure succeed). Are there any read failure scenarios I should be aware of? There isn't really a lot of insight into why a read failed as Valet just assumes it was because the value was never there to begin with. So what are my options here?

I got this error when I tried to build including the Valet framework, installed via Cocoapod.

• Valet v2.3.0
• Cocoapod v1.2.0
• Xcode 8.0
• Swift3-Compatible Project