Keychain Group Access

From：http://useyourloaf.com/blog/2010/04/03/keychain-group-access.html

Since iPhone OS 3.0 it has been possible to share data between a family of applications. This can provide a better user experience if you follow the common path of free（免费的）/premium（收费的） applications or if you have a set of related applications that
need to share some common account settings.

The main pre-requisite（先决条件） for shared keychain access is that all of the applications have a common
bundle seed ID. To be clear what this means remember that an App ID consists of two parts:

[code]<Bundle Seed ID> . <Bundle  Identifier>

The bundle seed ID is a unique (within the App Store) ten character string that is generated by Apple when you first create an App ID. The bundle identifier is generally set to be a reverse domain name string identifying your app (e.g.
com.yourcompany.appName) and is what you specify in the application Info.plist file in Xcode.

So when you want to create an app that can share keychain access with an existing app you need to make sure that you use the bundle seed ID of the existing app. You do this when you create the new App ID in the iPhone Provisioning
Portal（iPhone 配置门户）. Instead of generating a new value you select the existing value from the list of all your previous bundle seed IDs.

One caveat（有一点需要注意的）, whilst(虽然，而) you can create a provisioning profile with a wildcard（通配符） for the bundle identifier I have never been able to get shared keychain access working between apps using it. It works fine with fully specified (no wildcard)
identifiers. Since a number of other Apple services such as push notifications and in-app purchase also have this restriction maybe it should not be a surprise but I am yet to find this documented for keychain access.

Once you have your provisioning profiles setup with a common bundle seed ID the rest is pretty easy. The first thing you need to do is register the keychain access group you want to use. The keychain access group can be named pretty much anything you
want as long as it starts with the bundle seed ID. So for example if I have two applications as follows:

ABC1234DEF.com.useyourloaf.amazingApp1

ABC1234DEF.com.useyourloaf.amazingApp2

I could define a common keychain access group as follows:

ABC1234DEF.amazingAppFamily

To enable the application to access this group you need to add an entitlements plist file to the project using xCode. Use Add -> New File and select the Entitlements template from the iPhone OS Code Signing section. You can name the
file anything you like (e.g. KeychainAccessGroups.plist). In the file add a new array item named keychain-access-groups and
create an item in the array with the value of our chosen keychain access group:



Note: Do not change the get-task-allow item that is created by default in the entitlements file unless you are creating an Ad-Hoc distribution of your app (in which case you should uncheck this option).

This same process should be repeated for all apps that share the bundle seed ID to enable them to access the keychain group. To actually store and retrieve values from this group requires adding an additional value to the dictionary passed as an argument
to the keychain services. Using the example from the previous post on simple iPhone keychain access the search dictionary gets the following additional
item:

[code][searchDictionary setObject:@"ABC1234DEF.amazingAppFamily" 
                     forKey:(id)kSecAttrAccessGroup];

One final comment, using a shared keychain access group does not stop you from storing values in an applications private keychain as well. The Apple GenericKeychain example
application builds two applications which both store data in a private and group keychain.