Secure Storage not working on .NET MAUI Mac Catalyst – Launch failed with RBSRequestErrorDomain Code=5

[Sgudipu]

Description

When attempting to use Secure Storage in a .NET MAUI app targeting Mac Catalyst, the application fails to launch with the following error:
The application cannot be opened for an unexpected reason, error=Error Domain=RBSRequestErrorDomain Code=5 "Launch failed."
UserInfo={NSLocalizedFailureReason=Launch failed.,
NSUnderlyingError=0x122205be0 {Error Domain=NSPOSIXErrorDomain Code=153 "Unknown error: 153"
UserInfo={NSLocalizedDescription=Launchd job spawn failed}}}

Steps to Reproduce

1. Create a new .NET MAUI project.
2. Implement Secure Storage functionality.
3. Add the required entitlements in entitlements.plist

<dict>
	<key>keychain-access-groups</key>
	<array>
		<string>com.companyname.securestoragemaui</string>
	</array>

4. Configure the project for Mac Catalyst.

  <PropertyGroup Condition="'$(Configuration)|$(TargetFramework)|$(Platform)'=='Debug|net8.0-maccatalyst|AnyCPU'">
  <CodesignEntitlements>Platforms\MacCatalyst\Entitlements.plist</CodesignEntitlements>
</PropertyGroup>

5. Run the app in Debug mode. I followed the official documentation for configuring Secure Storage on Mac Catalyst. [https://learn.microsoft.com/en-us/dotnet/maui/mac-catalyst/entitlements?view=net-maui-9.0].

Link to public reproduction project repository

No response

Version with bug

10.0.0-preview.4

Is this a regression from previous behavior?

Not sure, did not test other versions

Last version that worked well

No response

Affected platforms

macOS

Affected platform versions

MAUI Mac catalyst

Did you find any workaround?

No response

Relevant log output

[jsuarezruiz]

Can you share a small sample where reproduce the issue or paste your Entitlements Configuration?

[Sgudipu]

Hi @jsuarezruiz. Please find the below code I am unable to upload the sample it shows its failing. please find the below code and configuration.

1.Entitlements.plist inside code

`

keychain-access-groups com.companyname.securestoragemaui ` 2. I mentioned in project file like below as per Microsoft documentation. ` Platforms\MacCatalyst\Entitlements.plist ` 3. its code behind code its `private async void Save(object sender, EventArgs e) { string savedToken = SaveToken.Text; if (!string.IsNullOrEmpty(savedToken)) { await SecureStorage.Default.SetAsync("oauth_token", savedToken); SaveToken.Text = string.Empty; await DisplayAlert("SAVED", "Token saved", "Ok"); } else { await DisplayAlert("ERROR", "Please enter the token", "Ok"); } }`

[jfversluis]

A couple of things:

• .NET 8 for .NET MAUI is now officially out of support, if you are using that, please update to .NET 9 and see if it then works
• In the initial report you mention .NET 10 as the version you are using. Whether you are using .NET 9 or 10, in both cases the Condition on the PropertyGroup node to include the Entitlements.plist file is incorrect since it explicitly lists .NET 8.
• I don't think you need to include the Entitlements.plist file like that in your csproj file at all. Just having the file in Platforms/MacCatalyst should be enough

Double-check if your Entitlements.plist actually ends up in your app bundle and that it is configured correctly.

[Sgudipu]

@jfversluis I have created the .Net 9.0 and fallowed the Microsoft document for configure the Entitlements.plist and run the App but still I am getting the same Error but same setup working in IOS only problem with Mac catalyst

Entitlements.plist

If you need any Info please let me know.

[jfversluis]

The $(AppIdentifierPrefix) in your Entitlements.plist seems a bit weird?

[Sgudipu]

Hi @jfversluis, Could you please help me understand what might be wrong with this? Please see the screenshot below. I followed the reference provided.

I have tried like this way also but still getting the same error.

<dict> <key>keychain-access-groups</key> <array> <string>com.companyname.mauisecurestoragemac</string> </array>
Could you please help me to resolve this issue.

[sumowesley]

I spent yesterday evening trying to get this to work with no joy. I'll have another go over the weekend and document what I find. I didn't want anybody thinking this was an isolated report.

[sumowesley]

I did get it working. Here are the notes:

Background

I haven't been able to get this to work for some time and it's been bugging me. So, while the below is not likely to be the most elegant approach, it did work. I tried this on a test application created from scratch and then on my main application where I want this to work.

Headline

• I did my all my work on the Mac
  • Dotnet 9.0.203
• You will need a different provisioning profile for Mac Catalyst development if you wish to use Secure Storage.
• I've now tried my main app on Mac, iOS, Android and Windows where it runs the test code I show below.

Gotchas (be aware)

• AI (I used ChatGPT through Rider) will fixate with the suffix on your certificate. This costed me a few hours of back and forth. I was on the verge of removing a working certificate before I checked something to see the contents of a Provisioning profile and my Team Id was embedded within it.
  • The suffix on the development certificate does not necessarily correspond with your Team ID on Apple. Some certificates, particularly for distribution do tend to have the Team ID as the suffix.
  • I wasn't initially bothered about getting secured storage shared between applications as my only desire is to have Secure Storage working for my app. However, I couldn't stop and leave the group thing unexplored, so that's what I've ended up with.

Actions

App Developer Portal

• Go to Profiles
• Create new profile (plus key)
  • macOS App Development
  • Profile Type: Mac Catalyst
  • Choose App ID
  • Choose the correct development certificate
    • Be warned - Team ID not necessarily as suffix on your certificate as explained earlier
  • Choose the Mac device from device list
  • Download the provisioning profile
    • it will be a .provisionprofile file and NOT a .mobileprovision
    • I prefer not to download to the final destination

Copying the file

• You need to copy the file you downloaded into '~/Library/MobileDevice/Provisioning Profiles'. It can retain the original file name.
  • make sure Xcode is closed when you copy - mine wouldn't copy while Xcode was open.
  • Check the file is intact:
    • you can execute this command from the terminal:

security cms -D -i YourApp.provisionprofile

or

security cms -D -i <PathToYourApp>/YourApp.provisionprofile

You should see lots of information you recognise.

Your Code

I have JetBrains Rider as my development environment on the Mac. I will try to show code where I can to avoid variations of development software environment.

YourApp.csproj

There are several changes to make in the .csproj file. Note that I'm concentrating on the development process. There will be something similar for your release cycle but I don't know what that is yet.

Notes

• I'm targeting .net 9.0. You may have to adjust if you're doing something different.
• The place for keys and profiles are placeholders only and you will have to put your information in there.
• I'd urge you to test on both iOS and Mac Catalyst whenever you need to run your application. I know this is about Mac Catalyst, but you don't want to ignore the iOS elements and assume they work.

1. Target the new profile

It's import to separate the iOS provisioning from that of Mac Catalyst. I'm sure you will adapt accordingly over time, but I start with this on a test application:

    <PropertyGroup Condition="'$(TargetFramework)'=='net9.0-ios'">
        <CodesignKey>Apple Development: Created via API (2********Z)</CodesignKey>
        <CodesignProvision>PortableStorageApp Development</CodesignProvision>
    </PropertyGroup>

    <PropertyGroup Condition="'$(TargetFramework)'=='net9.0-maccatalyst'">
        <CodesignKey>Apple Development: Created via API (2********Z)</CodesignKey>
        <CodesignProvision>PortableStorageApp Development (Mac)</CodesignProvision>
    </PropertyGroup>

Try running the application now on your Mac. I have no hard and fast suggestions but I tend to Clean and then Build the solution before doing anything else.

If that isn't working (you have errors), I've also had to remove the project's bin and obj directories. However if I've deleted bin and obj, I've also had to do the below command from inside the project directory (not solution) following the removal of those directories. I wish I could spot the pattern of when it works, but I have nothing so far. I should also point out that AI will suggest removing bin and obj at the drop of a hat. I didn't have to remove them for the whole process when applying this to my main application.

dotnet restore

Next, you need to reference to two Entitlements.plist files (one for iOS and one for Mac Catalyst). THEY MUST EXIST TO GO ANY FURTHER.

In your .csproj, add this:

    <PropertyGroup Condition="'$(TargetFramework)' == 'net9.0-ios'">
        <Entitlements>Platforms/iOS/Entitlements.plist</Entitlements>
    </PropertyGroup>

    <PropertyGroup Condition="'$(TargetFramework)' == 'net9.0-maccatalyst'">
        <Entitlements>Platforms/MacCatalyst/Entitlements.plist</Entitlements>
    </PropertyGroup>

They can probably go in without change.

Entitlements.plist

This proved very difficult, made harder by an AI suggesting several things at once to make things work. Here are public facing versions of the file for my projects.

iOS

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <!-- See https://aka.ms/maui-publish-app-store#add-entitlements for more information about adding entitlements.-->
  <dict>
    <key>keychain-access-groups</key>
    <array>
      <string>3********C.uk.co.yourdomain.YourApp</string>
    </array>
  </dict>
</plist>

Mac Catalyst

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <!-- See https://aka.ms/maui-publish-app-store#add-entitlements for more information about adding entitlements.-->
    <dict>
        <!-- App Sandbox must be enabled to distribute a MacCatalyst app through the Mac App Store. -->
        <key>com.apple.security.app-sandbox</key>
        <true/>
        <!-- When App Sandbox is enabled, this value is required to open outgoing network connections. -->
        <key>com.apple.security.network.client</key>
        <true/>

        <key>keychain-access-groups</key>
        <array>
            <string>3********C.uk.co.yourdomain.YourApp</string>
        </array>
    </dict>
</plist>

In terminal, navigate to the directory for the compiled application. In my case, that's here in relative terms from the Application. It will be different in you're on an Intel chip device.

bin/Debug/net9.0-maccatalyst/maccatalyst-arm64

Once in that directory, you can execute this command:

codesign -d --entitlements - YourApp.app

This will show the entitlements associated with YourApp. The output will be similar to this (some comments and anonymisation in this sample - I've hidden most of my Team ID, for example):

  [Key] com.apple.application-identifier
  [Value]
    [String] 3********C.uk.co.yourdomain.YourApp
  [Key] com.apple.developer.team-identifier
  [Value]
    [String] 3********C
  [Key] com.apple.security.app-sandbox
  [Value]
    [Bool] true
  [Key] com.apple.security.network.client
  [Value]
    [Bool] true
  [Key] get-task-allow
  [Value]
    [Bool] true
  [Key] keychain-access-groups
  [Value]
    [Array]
      [String] 3********C.uk.co.yourdomain.YourApp

It's time to try your application again.

SecureStorage code

I got very lazy with this so put my immediate test code into App.xaml.cs.

Quick test

I wanted something very quick before I tried loading my service that used SecureStorage I'd written some months ago. Here is a one liner as a start. At the end of the constructor of App.xaml.cs, add this line:

SecureStorage.Default.Remove("not_there");

It doesn't matter that the key does no exist. You just want it to run the line to prove it can access SecureStorage without error. Remove the line when you're ready to do the below.

Longer test

Try adding this at the end of the constructor and stepping through the code to make sure it writes, reads and removes an entry. Don't forget to remove it when you have it working.

  Task.Run(async () =>
  {
      await SecureStorage.Default.SetAsync("testKey", "testValue");
      var value = await SecureStorage.Default.GetAsync("testKey");
      SecureStorage.Default.Remove("testKey");
  }).Wait();

Conclusion

I wish it was easier and I expect it to be less fraught when it comes to do it for production/distribution.

Also, my apologies for typos and any omissions.

[jfversluis]

Does that help at all @Sgudipu ?

[Sgudipu]

Hi @jfversluis,
I have followed the same steps as mentioned by @sumowesley, but I am still encountering issues when I run the app. Currently, I am revoking all certificates and creating again from scratch. I will verify everything and update you once I have checked.

[Sgudipu]

Hi @sumowesley, Could you please confirm if this issue is caused by either an incorrect or missing keychain-access-groups entry in the entitlements.plist, or a mismatch between the app’s bundle identifier/keychain access group and the provisioning profile? I have re created the provisioning profile and verified as you mentiond but still I am getting the same lunch fail issue.

[sumowesley]

Hi @sumowesley, Could you please confirm if this issue is caused by either an incorrect or missing keychain-access-groups entry in the entitlements.plist, or a mismatch between the app’s bundle identifier/keychain access group and the provisioning profile? I have recreated the provisioning profile and verified as you mentioned, but still I am getting the same lunch fail issue.

@Sgudipu , I think it's better to think of it as many things needing to align before it will work. If you've worked through my list, at what stage does the application fail? There several places where you can launch the application. How early does it fail?