FB9876464: CryptoTokenKit extension stops working when replacing container app until reboot

FB9876464 — iOS & iPadOS

Basic Information

Please provide a descriptive title for your feedback:

CryptoTokenKit extension stops working when replacing container app until reboot

Which area are you seeing an issue with?

Security Framework

What type of feedback are you reporting?

Incorrect/Unexpected Behavior


Please describe the issue and what steps we can take to reproduce it:

When doing development on our CTK apps, the extension stops working commonly when a new build is installed on a device. This can be from Xcode, testflight, and might even happen when the app is updated from the app store.

To replicate the error:


Xcode Version 13.2.1 (13C100)

MacBook Pro (16-inch, 2019) 12.1 (21C52)

iPad Air 2 with iOS 15.2.1

iSigning App. Simple iOS app that has the template code for the CTK extension and inserts a CTK config using a certificate in the container app. It then does a search using SecItemCopyMatching to find the inserted cert.

Steps to replicate:

1. (optional) Setup iPad by Erase all contents and settings. Go through setup assistant, join WiFi. No need to enter AppleID or transfer data.

2. clone git repo at https://bitbucket.org/twocanoes/isigningapp/src/master/

3. Plug in iPad, and run app on iPad.

4. Once app is running, tap insert config. Insert Config inserts a certificate as a token using addTokenConfiguration:for:.

5. Tap Read Config. This will use the keychain api (SecItemCopyMatching) to read the inserted config and print it out. You may get prompted to allow token access. Approve this access.

6. Stop the app in Xcode by pressing the stop button.

7. Run again by pressing run in Xcode to run the app on the device.

8. Press read config. No config will be printed. (if it is printed, try stopping and running again).

9. Verify error messages like these (“failed to resolve requestIdentifier”) are shown in log (filter on ctkd):

134825 ctkd 18:18:37.176469-0600 debug 205: 0x25087 com.apple.CryptoTokenKit tokenhost returning 1 extensions (1 enumerated) (filter classid=com.twocanoes.iSigningApp.iSigniningAppToken)134825 ctkd 18:18:37.176625-0600 debug 205: 0x25087 com.apple.CryptoTokenKit tokenhost <tkid:com.twocanoes.iSigningApp.iSigniningAppToken:Feitian2>: acquiring134825 ctkd 18:18:37.176774-0600 error 205: 0x25087 com.apple.CryptoTokenKit tokenhost com.twocanoes.iSigningApp.iSigniningAppToken failed to resolve requestIdentifier 4524A2F5- 5C75-4D3C-BC7B-7BE3BB9EA627 to context

10. Verify you can’t see the cert in WiFi, VPN. Try lots of things to get it to come back. It will not come back.

11. Reboot iPad.

12. Open App by tapping it, and tap Read config

13. Verify certificate shows.

14. Insert, remove and print as many times are you like. It will work fine.

15. Running in Xcode again to show that it breaks the token once again until reboot.

16. Shake fist at clouds.

This is related to FB9849545 but happens not just in with TestFlight but in Xcode as well.