Skip to content

fix(mobile): configure iOS Keychain access group#3665

Open
VedankPurohit wants to merge 3 commits into
pingdotgg:mainfrom
VedankPurohit:fix/mobile-ios-keychain-access-group
Open

fix(mobile): configure iOS Keychain access group#3665
VedankPurohit wants to merge 3 commits into
pingdotgg:mainfrom
VedankPurohit:fix/mobile-ios-keychain-access-group

Conversation

@VedankPurohit

@VedankPurohit VedankPurohit commented Jul 2, 2026

Copy link
Copy Markdown

Summary

  • Adds explicit iOS Keychain access-group configuration for mobile app variants.
  • Covers the development bundle identifier with a small Expo config regression test.
  • Keeps credential storage on SecureStore; no insecure fallback storage is added.

The mobile app stores connection credentials through expo-secure-store, which uses the iOS Keychain. During iOS simulator pairing, SecureStore previously failed with:

Calling the 'getValueWithKeyAsync' function has failed
A required entitlement isn't present.

The Expo iOS config did not explicitly declare a bundle-scoped Keychain access group. This adds $(AppIdentifierPrefix)<bundle identifier> for each app variant.

Test plan

  • vp run --filter @t3tools/mobile test -- app.config.test.ts
  • vp run typecheck
  • vp run lint:mobile
  • vp check
  • Built and installed the native iOS simulator app, paired with a local server, then relaunched and confirmed the saved environment loaded.

Notes

This app uses Expo native tooling/dev-client style builds, not Expo Go.

On this Xcode simulator setup, the installed simulator app still reports empty embedded entitlements because Xcode reports ENTITLEMENTS_ALLOWED = NO. The runtime pairing and SecureStore read-back flow was validated successfully.


Note

Low Risk
Expo iOS build/signing configuration only; no changes to credential storage logic or APIs.

Overview
Adds an explicit Keychain access groups iOS entitlement in app.config.ts, set to $(AppIdentifierPrefix) plus each variant’s iosBundleIdentifier, so native builds include the entitlement expo-secure-store needs.

This targets the simulator/runtime error where SecureStore reads failed with “A required entitlement isn’t present” because no bundle-scoped access group was declared in the Expo iOS config.

Reviewed by Cursor Bugbot for commit f368d56. Bugbot is set up for automated code reviews on this repo. Configure here.

Note

Add keychain-access-groups entitlement to iOS builds

Adds ios.entitlements to app.config.ts with a keychain-access-groups entry set to $(AppIdentifierPrefix)<bundleIdentifier>. This configures the app to participate in the correct iOS keychain access group at runtime.

Macroscope summarized f368d56.

This keeps development iOS builds aligned with the bundle-scoped Keychain
storage used by SecureStore during local simulator pairing.
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 18b0451b-395b-4fa0-a80e-0caf2a10d90d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added vouch:unvouched PR author is not yet trusted in the VOUCHED list. size:XS 0-9 changed lines (additions + deletions). labels Jul 2, 2026
@macroscopeapp

macroscopeapp Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Approvability

Verdict: Approved

This is a standard iOS configuration change adding keychain-access-groups entitlement with the app's own bundle identifier. The change is declarative, follows standard patterns, and poses minimal risk.

You can customize Macroscope's approvability policy. Learn more.

@VedankPurohit

Copy link
Copy Markdown
Author

Context for the human review flagged above: the declared group $(AppIdentifierPrefix)<bundle identifier> is each app variant's own default Keychain access group, so this doesn't broaden access — it makes the implicit default explicit so SecureStore's Keychain calls stop failing during simulator pairing. The widget extension target only uses an App Group (com.apple.security.application-groups) and has never declared Keychain sharing, so no other target's access changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size:XS 0-9 changed lines (additions + deletions). vouch:unvouched PR author is not yet trusted in the VOUCHED list.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants