add group to ios singer config#442
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a4a1b2a808
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| kSecPublicKeyAttrs mapsTo createCFDictionary { | ||
| kSecAttrApplicationLabel mapsTo alias | ||
| kSecAttrIsPermanent mapsTo true | ||
| kSecAttrApplicationTag mapsTo KeychainTags.PUBLIC_KEYS |
There was a problem hiding this comment.
When callers set IosSigningKeyConfiguration.tagOverride, the private key is created under the override tag but the public key is still written under the default tag here. storeKeyMetadata() and getSignerForKey() query PREFIX_PUBLIC_KEY + tagOverride, so key creation fails with errSecItemNotFound after generating an orphan default-tagged public key, and overridden keys are unusable.
Useful? React with 👍 / 👎.
| kSecPrivateKeyAttrs mapsTo createCFDictionary { | ||
| kSecAttrApplicationLabel mapsTo alias | ||
| kSecAttrIsPermanent mapsTo true | ||
| kSecAttrApplicationTag mapsTo KeychainTags.PRIVATE_KEYS | ||
| kSecAttrApplicationTag mapsTo (config.tagOverride?.let { KeychainTags.PREFIX_PRIVATE_KEY+it } ?:KeychainTags.PRIVATE_KEYS) |
There was a problem hiding this comment.
When createSigningKey is called with accessGroup, only the public-key attributes receive kSecAttrAccessGroup; the private key remains in the default group. A later getSignerForKey(... accessGroup = ...) returns a signer whose private-key lookup includes that access group, so signing fails with retrieve private key even though the public key and metadata were found.
Useful? React with 👍 / 👎.
| ?: throw UnsupportedCryptoException("Keychain access is unsupported outside of a Bundle") | ||
| Pair("supreme.privatekey-$bundleId", "supreme.publickey-$bundleId") | ||
| ?: throw UnsupportedCryptoException("Keychain access is unsupported outside of a Bundle. If you must, specify tagOverride, but here be dragons") | ||
| Pair("$PREFIX_PRIVATE_KEY$bundleId", "$PREFIX_PUBLIC_KEY-$bundleId") |
There was a problem hiding this comment.
This constructs the default public-key tag as supreme.publickey--<bundleId> because PREFIX_PUBLIC_KEY already ends with -, whereas previous releases used supreme.publickey-<bundleId>. After upgrading, keys created under the old default tag can no longer be found or deleted by the new getPublicKey/metadata/delete queries, which breaks existing iOS keychain entries.
Useful? React with 👍 / 👎.
1 participant
@gp-iaik enjoy!