FB9849545 — iOS & iPadOS: CTK extension stops working when installing via TestFight until reboot

FB9849545 — iOS & iPadOS

Basic Information

Please provide a descriptive title for your feedback:

CTK extension stops working when installing via TestFight until reboot

Which area are you seeing an issue with?

Security Framework

What type of feedback are you reporting?

Incorrect/Unexpected Behavior

Description

Please describe the issue and what steps we can take to reproduce it:

When using TestFlight to test new version of the app in the App Store, installing the app with a CTK extension breaks the CTK extension and any apps using SecItemCopyMatching with com.apple.token entitlement can no longer see the certificates inserted by CTK extension. Rebooting resolves the issue.

To replicate:

1. Clone this sample app:

https://bitbucket.org/twocanoes/isigningapp/src

2. Run and install on an iOS device.

3. Tap Insert Config to insert a CTK persistent token config.

4. Tap Read Config to see that the date and subject name of the inserted config shows.

5. Upload a new build on the same app to TestFlight. 

6. Install build onto the same iOS device and agree when it says that the app is already installed.

Expected behavior: when tapping “read config”, the date and subject name should show the inserted certificate.

What happens: No certificates are shown, CTK persistent configurations cannot be removed, inserted or read until a reboot. Even reinstalling the version from Xcode does not resolve the issue, nor does uninstall / reinstalling either the Xcode version or the version from TestFlight.

The log shows this error:

com.twocanoes.iSigningApp.iSigniningAppToken failed to resolve requestIdentifier 5BC95310-77A5-4CC4-979E-400BED65E252 to context

This happens when my customers try a TestFlight build after installing the released version from the app store. I now check to see if there are no inserted identities and warn the user to reboot the device, but this does not provide a very good user experience. 

I am also not sure if this happens when the app is updated in the App Store to a newer version. I have not had any reports of this happening, but it seems to be a similar scenario. However, installing new builds in from Xcode builds works. Also, deleting and reinstalling from TestFlight does not break it either. There seems to be a issue installing from a different source than was originally installed after the last reboot.

All ctkd events when certificates are attempted to be read:

34517 ctkd 22:56:58.254393-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Beginning discovery for flags: 1024, point: com.apple.ctk-tokens

34517 ctkd 22:56:58.312819-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Completed discovery. Final # of matches: 3

34518 ctkd 22:56:58.313458-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Beginning discovery for flags: 1024, point: com.apple.ctk-tokens

34518 ctkd 22:56:58.372988-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Completed discovery. Final # of matches: 3

34520 ctkd 22:56:58.395829-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Beginning discovery for flags: 1024, point: com.apple.ctk-tokens

34520 ctkd 22:56:58.410036-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Completed discovery. Final # of matches: 1

34521 ctkd 22:56:58.410389-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Beginning discovery for flags: 1024, point: com.apple.ctk-tokens

34521 ctkd 22:56:58.567539-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Completed discovery. Final # of matches: 3

34523 ctkd 22:56:58.586249-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Beginning discovery for flags: 1024, point: com.apple.ctk-tokens

34523 ctkd 22:56:58.642400-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Completed discovery. Final # of matches: 1

34524 ctkd 22:57:00.743010-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Beginning discovery for flags: 1024, point: com.apple.ctk-tokens

34524 ctkd 22:57:00.744085-0600 default 154: 0x3854 com.apple.PlugInKit discovery [d <private>] <PKHost:0x151f06490> Completed discovery. Final # of matches: 1

58890 ctkd 22:57:00.789257-0600 error 154: 0x3854 com.apple.CryptoTokenKit tokenhost com.twocanoes.iSigningApp.iSigniningAppToken failed to resolve requestIdentifier 3E3607C6-27B8-48F0-970A-3072397B5055 to context