Secure storage crashes with: "A required entitlement isn't present" on MacOS

[KonstantinRr]

secure storage crashes with the message on MacOS:

PlatformException(Unexpected security result code, Code: -34018, Message: A required entitlement isn't present., -34018, null)

It works fine in debug mode so it's likely an issue with the release entitlements. I followed the guide and added the keychain-access-groups in the macos/Runner/Release.entitlements and DebugProfile.entitlements:

	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)com.company.myapp.basis-keychain</string>
	</array>

I'm then initialising secureStorage with:

const secureStorage = FlutterSecureStorage(
  mOptions: MacOsOptions(groupId: 'basis-keychain'),
);

When I then call the following I get the PlatformException.

secureStorage.write(key: 'some_key', value: 'some_value');

What could be the issue?

Thanks!

Environment: MacOS 15.0.1

Flutter doctor:

[!] Flutter (Channel stable, 3.24.3, on macOS 15.0.1 24A348 darwin-arm64, locale en-GB)
    • Flutter version 3.24.3 on channel stable at /opt/flutter
    ! Warning: `dart` on your path resolves to /opt/homebrew/Cellar/dart/3.5.3/libexec/bin/dart, which is not inside your current Flutter SDK checkout at /opt/flutter. Consider adding /opt/flutter/bin to the front of your
      path.
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision 2663184aa7 (4 weeks ago), 2024-09-11 16:27:48 -0500
    • Engine revision 36335019a8
    • Dart version 3.5.3
    • DevTools version 2.37.3
    • If those were intentional, you can disregard the above warnings; however it is recommended to use "git" directly to perform update checks and upgrades.

[✓] Android toolchain - develop for Android devices (Android SDK version 34.0.0)
    • Android SDK at /Users/konstantinrr/Library/Android/sdk
    • Platform android-34, build-tools 34.0.0
    • ANDROID_HOME = /Users/konstantinrr/Library/Android/sdk
    • Java binary at: /Applications/Android Studio.app/Contents/jbr/Contents/Home/bin/java
    • Java version OpenJDK Runtime Environment (build 17.0.10+0-17.0.10b1087.21-11572160)
    • All Android licenses accepted.

[✓] Xcode - develop for iOS and macOS (Xcode 16.0)
    • Xcode at /Applications/Xcode.app/Contents/Developer
    • Build 16A242d
    • CocoaPods version 1.15.2

[✓] Chrome - develop for the web
    • Chrome at /Applications/Google Chrome.app/Contents/MacOS/Google Chrome

[✓] Android Studio (version 2023.3)
    • Android Studio at /Applications/Android Studio.app/Contents
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 17.0.10+0-17.0.10b1087.21-11572160)

[✓] VS Code (version 1.83.1)
    • VS Code at /Applications/Visual Studio Code.app/Contents
    • Flutter extension version 3.98.0

[✓] Connected device (4 available)
    • iPhone (mobile)                 • 00008101-001E4D201145001E • ios            • iOS 18.0.1 22A3370
    • macOS (desktop)                 • macos                     • darwin-arm64   • macOS 15.0.1 24A348 darwin-arm64
    • Mac Designed for iPad (desktop) • mac-designed-for-ipad     • darwin         • macOS 15.0.1 24A348 darwin-arm64
    • Chrome (web)                    • chrome                    • web-javascript • Google Chrome 129.0.6668.91

[✓] Network resources
    • All expected network resources are available.

! Doctor found issues in 1 category.

[KonstantinRr]

I also tried leaving groupId empty and not defining any keychain-access-groups as defined in the documentation here. But that also doesn't work.

[nikolaihen]

I have the exact same issue, and I've also tried to follow the documentation to a point without success. This is only an issue in release mode where the app simply crashes when trying to open it.

[milesegan]

I'm seeing this too and so far haven't been able to find a fix. It does seem to be an exception you can catch and log though so the app can keep running.

[drunisa007]

set "NO" in CODE_SIGN_INJECT_BASE_ENTITLEMENTS in Project Runner Build Setting. set "--timestamp" in OTHER_CODE_SIGN_FLAGS in Project Runner Build Setting.

codesign --force --options runtime --timestamp -s 'Developer ID Application: HiMyTeam (DJ333BY)' --deep --strict --preserve-metadata=entitlements "desire path of framework or build that you want to resign " -vvv

you can check the error log when notarization your App. `xcrun notarytool log 7d4d4c0a-65dc-4112-b2c2-686c5e0d9296 --key macos/key.p8 --key-id "keyid" --issuer "issuer_id"

Or just use Developer ID Application provision profile for release build, so that you don't need to redo the codesigning.

Follow this documentation for notarization.

[milesegan]

It looks like the --preserve-metadata=entitlements flag to codesign was the thing I was missing. Without that codesign seems to strip the entitlements from the build.

[milesegan]

Ok actually --preserve-metadata=entitlements kept the entitlements but then the app wouldn't run.

What seems to have worked is this flag: --entitlements macos/Runner/Release.entitlements.

[drunisa007]

Quote reply

Oh i see, when i use to build with flutter build macos --release the entitlement is already included. So --preserve-metadata=entitlements flag is used for my third party framework.

if we are resigning the whole .app contents, then yes --entitlements macos/Runner/Release.entitlements, this is the correct one.

[milesegan]

However after making this change I had some issues with getting the Sparkle update to work correctly so I'm still trying to figure out what I need to do to make that work.

[DMoscicki]

1. Init your storage, something like this without options: FlutterSecureStorage storage = const FlutterSecureStorage();
2. In XCode add yourself as a developer in Runner -> Signing & Capabilities -> Team
3. Inside your project add fields to files macos/Runner/DebugProfile.entitlements and macos/Runner/Release.entitlements like this:

	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)here-is-keychain-group</string>
	</array>

That's works for me.

[juliansteenbakker]

I have updated the documentation on both macos and iOS to show this explanation.

[btc-nav]

1. Init your storage, something like this without options: FlutterSecureStorage storage = const FlutterSecureStorage();
2. In XCode add yourself as a developer in Runner -> Signing & Capabilities -> Team
3. Inside your project add fields to files macos/Runner/DebugProfile.entitlements and macos/Runner/Release.entitlements like this:

	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)here-is-keychain-group</string>
	</array>

That's works for me.

Not working.

Always return error: PlatformException(Unexpected security result code, Code:-34018, Message: A requiredentitlement isn't present..-34018, null)

[esuljic]

I just tried the latest beta version, can confirm it not working as well.

• it works when I run debug version
• it works when I build it using flutter build macos --release
• It stops working when I run this code-signing process on the .app file:

echo "Signing main application binary..."
codesign --force \
    --entitlements "Runner/Release.entitlements" \
    --sign "$DEVELOPER_ID" \
    --timestamp "${APP_PATH}/Contents/MacOS/Runner"

echo "Signing complete application bundle..."
codesign --force \
    --sign "$DEVELOPER_ID" \
    --timestamp "$APP_PATH"

The app opens, but says PlatformException(Unexpected security result code, Code: -34018, Message: A required entitlement isn't present., -34018, null).

I tried adding the --preserve-metadata=entitlements to each and both, the app can't be run at all then.

I tried having these 3 options in the entitlement file:

<key>keychain-access-groups</key>
<array/>

<key>keychain-access-groups</key>
<array>
	<string>ABCDEF1234.com.myapp.name</string>
</array>

<key>keychain-access-groups</key>
<array>
	<string>$(AppIdentifierPrefix)com.myapp.name</string>
</array>

none of which worked.

My application is meant to be distributed without AppStore, and is not sandboxed. The Hardened runtime is enabled.

[shanelau]

Same Error PlatformException(Unexpected security result code, Code: -34018, Message: A required entitlement isn't present., -34018, null)

[drunisa007]

I just tried the latest beta version, can confirm it not working as well.

• it works when I run debug version
• it works when I build it using flutter build macos --release
• It stops working when I run this code-signing process on the .app file:

echo "Signing main application binary..." codesign --force
--entitlements "Runner/Release.entitlements"
--sign "$DEVELOPER_ID"
--timestamp "${APP_PATH}/Contents/MacOS/Runner"

echo "Signing complete application bundle..." codesign --force
--sign "$DEVELOPER_ID"
--timestamp "$APP_PATH" The app opens, but says PlatformException(Unexpected security result code, Code: -34018, Message: A required entitlement isn't present., -34018, null).

I tried adding the --preserve-metadata=entitlements to each and both, the app can't be run at all then.

I tried having these 3 options in the entitlement file:

<key>keychain-access-groups</key>
<array/>

<key>keychain-access-groups</key>
<array>
	<string>ABCDEF1234.com.myapp.name</string>
</array>

<key>keychain-access-groups</key>
<array>
	<string>$(AppIdentifierPrefix)com.myapp.name</string>
</array>

none of which worked.

My application is meant to be distributed without AppStore, and is not sandboxed. The Hardened runtime is enabled.

When you use flutter build macos --release. check your sign signature codesign -dv --verbose=4 ../Release/Some.app

You will see the sign certificate is different than the one you want to use. when you try to force sign the build like below , apple don't allow modifying build with signature again that used secure storage.

codesign --force \
    --sign "$DEVELOPER_ID" \
    --timestamp "$APP_PATH"

The workaround is use your Developer ID Application certificate in xcode directly. When you try to call flutter build macos --release , it will use the correct certificate and you don't need to resign the whole app build.

[shanelau]

@drunisa007 What does The workaround is use your Developer ID Application certificate in xcode directly mean? Can you tell me more detailed steps?

[drunisa007]

@shanelau

1. Generate provision profile from Appstore connect.

2. Use the provision profile in Runner Release Section of Xcode.

It stops working when I run this code-signing process on the .app file: .

From my case, i can not sign the .app again after (flutter build macos --release), that's why i am telling to use provision profile directly so that we don't need to do the signing process on the whole .app folder.

Even though we can not sign $ROOT/build/macos/Build/Products/Release/HelloHQStg.app folder again , we can sign other third party framework like below.

codesign --force --options runtime  --timestamp -s "$MACOS_SIGN_NAME"  --deep --strict --preserve-metadata=entitlements  "$ROOT/build/macos/Build/Products/Release/HelloHQStg.app/Contents/Frameworks/Sparkle.framework" -vvv  

But if you want to sign the whole .app folder like this case => (https://github.com/juliansteenbakker/flutter_secure_storage/issues/804#issuecomment-2477776674)

@milesegan said it works. i haven't test it yet.

codesign --force --options runtime  --timestamp -s 'Developer ID Application: HiMyTeam (DJ333BY)' --deep --strict 
--entitlements macos/Runner/Release.entitlements  "$ROOT/build/macos/Build/Products/Release/HelloHQStg.app "   -vvv

[milesegan]

@drunisa007 Actually I started having issues with it randomly in production so I just gave up on it for now.

[btc-nav]

I resolved the issue.

The type of profile is very important. The previous error was likely because I used the wrong signing certificate.

I reapplied for a Developer ID Application profile, turned off Automatic Manage Signing in Xcode, and selected the newly created profile.

[pulyaevskiy]

Just got hit by this again, but was able to solve by adding explicit keychain group name in the entitlement, e.g.:

	<key>keychain-access-groups</key>
	<array>
		<string>$(AppIdentifierPrefix)com.example.foobar</string>
	</array>

Where com.example.foobar is the bundle id of my app.

Note that I'm codesigning my app in CI and using Developer ID provisioning profile and certificate.

UPDATE: Actually due to the way I codesign my app in Github Actions I can't use any parametrized values in entitlements so have to hardcode the team id instead of using ${AppIdentifierPrefix} above. So:

	<key>keychain-access-groups</key>
	<array>
		<string>123ABC897RDE8.com.example.foobar</string>
	</array>

Where 123ABC897RDE8 is your team id.

I suspect this should be true for anyone who tries calling codesign with --entitlements path/to/Release.entitlements.

[github-actions[bot]]

⚠️ This issue has been marked as stale because it has been open for 60 days with no activity.

If this issue is still relevant, please comment to keep it active. Otherwise, it will be closed in 60 days.

[github-actions[bot]]

❌ This issue has been closed because it remained inactive for 60 days after being marked as stale.

[romsVLM]

Hello i have the same issue. Anyone find how to solve that ?