Thanks all for reading my post.
A bit of context: We just finished an app transfer to our developer account. We successfully signed and generated the new release. We are already able to roll it out in testflight were we found an issue.
We store valuable data in the Keychain like Authentication tokens, once the new app is installed over the old one we are experiencing a loss of all data as the keychain become "untrusted". This is worst case scenario for us because all users will immediately lose the access to the app and hence the whole system.
Questions: Is there a way to solve this issue, something like migration of the Keychain data?
We came to know the standard migration path:
Release a version that copies items from the old access groups to a new group based on com.apple.security.application-groups (App Groups). Wait for most users to update and run the migration. Then perform the App ID prefix change. Is this still the best method? Any improvements or new tools available since the 2022 DTS post?
The problem with this is that the app is already on our account and that might need to rollback the transfer. Right?
How long should we realistically wait for user migration before making the prefix change? Is there a way to measure migration completion?
Thank you in advance!
Thanks for bringing this to the forums.
Any improvements or new tools available since the 2022 DTS post?
I’m glad you asked (-:
Recently the App Store Connect folks updated their documentation to describe a technique for transferring app groups between teams. See App Store Connect Help > Transfer an app > Overview of app transfer > Apps using App Groups [1]. Given that, it’s now possible to use an existing technique — using an app group ID as a keychain access group — to preserve keychain access across an app transfer. I’ve just updated App ID Prefix Change and Keychain Access to describe this approach.
Now, this is all very ‘bleeding edge’, and thus it’s possible that you might run into snags. However, it’s certainly an option worth exploring.
We just finished an app transfer to our developer account.
The option I’m describing typically requires that you publish an update to your app from the old team [2], which means you’ll need transfers your app back, publish that update, wait a bit, and then redo the transfer. You’ll have to balance that hassle against the hassle of requiring all your users to log in again.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Elsewhere on the forums you’ll find older posts from me where I’ve expresed a certain… ah… um… skepticism about this technique. However, I discuss this with various folks internally and the conclusion is that we are going to support it, with the caveats that I called out in my post.
[2] Unless by some random chance you happen to be already storing your keychain items in a AGI keychain access group, and it’s feasible to transfer that app group ID.