I'm having a problem with some KeyChain code causing archives created via xcodebuild to crash when distributed as ad-hoc apps and run on a device. The problem does not affect builds created via Xcode -- only those created via command line.

The code that is throwing the error: (I'm using a KeyChain library found here)

KeychainItemWrapper *keychain = [[KeychainItemWrapper alloc] initWithIdentifier:@"myapp" accessGroup:nil];
NSString *testKeychain = (NSString *)[keychain objectForKey:(__bridge id) kSecAttrAccount];
if (testKeychain.length) {
    NSLog(@"KeyChain value for kSecAttrAccount: %@", testKeychain);
} else {
    NSLog(@"No KeyChain value for kSecAttrAccount");
}
[keychain setObject:@"Shared KeyChain value!" forKey:(__bridge id) kSecAttrAccount]; // <-- error thrown here

The "missing entitlement" error(s)

2012-06-15 10:03:20 AM +0000 securityd MyApp [138] SecItemCopyMatching: missing entitlement
2012-06-15 10:03:20 AM +0000 MyApp No KeyChain value for kSecAttrAccount
2012-06-15 10:03:20 AM +0000 securityd MyApp [138] SecItemCopyMatching: missing entitlement
2012-06-15 10:03:20 AM +0000 securityd MyApp [138] SecItemAdd: missing entitlement
2012-06-15 10:03:20 AM +0000 MyApp *** Assertion failure in -[KeychainItemWrapper writeToKeychain], /Users/davidbjames/XCode/.../KeychainItemWrapper.m:305

Entitlement file:

<key>keychain-access-groups</key>
<array>
    <string>$(AppIdentifierPrefix)$(CFBundleIdentifier)</string>
</array>

The xcodebuild output appears to be handling the entitlement file:

setenv CODE_SIGN_ENTITLEMENTS MyApp/MyApp.entitlements
..
ProcessProductPackaging MyApp/MyApp.entitlements /etc/etc/build/MyApp.xcent
..
builtin-productPackagingUtility /etc/etc/MyApp.entitlements -entitlements -format xml -o /etc/etc/MyApp.xcent

The code functions without error in Simulator, on a debug device and as an ad-hoc distribution. The only issue occurs via command line builds. What am I missing?

This error indicates a problem with your app's entitlements. In my experience, the cause is often that the App Identifier Prefix in the app's entitlements doesn't match the App Identifier Prefix in the provisioning profile.

To verify, use the codesign tool to view your app's entitlements:

codesign -d --entitlements - MyApp.app/

Then, compare the App Identifier Prefix to that in the provisioning profile:

cat MyApp.app/embedded.mobileprovision

After long work, i've found a solution to this issue and modified the floatsign.sh script (https://gist.github.com/mediabounds/1367348) accordingly - the entitlements have to be update like @sglist said. You can find the implementation here: https://gist.github.com/Weptun/5406993

I think this line is wrong:

[[KeychainItemWrapper alloc] initWithIdentifier:@"myapp" accessGroup:nil]

You will want to pass your access group name in there. It may or may not fix your problem, these things are a bit "sensitive".