@@ -48,14 +48,15 @@ Google Sign-In allows your users to sign-in to your native macOS app using their
4848and default browser. When building for macOS, the ` signInWithConfiguration: ` and ` addScopes: `
4949methods take a ` presentingWindow: ` parameter in place of ` presentingViewController: ` . Note that
5050in order for your macOS app to store credentials via the Keychain on macOS, you will need to add
51- ` $(AppIdentifierPrefix)$(CFBundleIdentifier) ` to its keychain access group.
51+ ` $(AppIdentifierPrefix)$(CFBundleIdentifier) ` as the first item in its keychain access group.
5252
5353### Mac Catalyst
5454
5555Google Sign-In also supports iOS apps that are built for macOS via
5656[ Mac Catalyst] ( https://developer.apple.com/mac-catalyst/ ) . In order for your Mac Catalyst app
5757to store credentials via the Keychain on macOS, you will need to add
58- ` $(AppIdentifierPrefix)$(CFBundleIdentifier) ` to its keychain access group.
58+ ` $(AppIdentifierPrefix)$(CFBundleIdentifier) ` as the first item in the keychain
59+ access group.
5960
6061## Using the Google Sign-In Button
6162
@@ -107,3 +108,19 @@ let signInButton = GoogleSignInButton {
107108}
108109let hostedButton = NSHostingView(rootView: signInButton)
109110```
111+
112+ ## A Note on iOS Keychain Access Groups
113+
114+ GSI uses your default (first listed) keychain access group. If you don't add a
115+ custom keychain access group, the default keychain access group is provided by
116+ Xcode and looks like ` $(AppIdentifierPrefix)$(CFBundleIdentifier) ` .
117+
118+ GSI [ removes keychain items upon fresh install] ( https://github.com/google/GoogleSignIn-iOS/pull/567 )
119+ to ensure that stale credentials from previous installs of your app are not
120+ mistakenly used. If your app uses a shared access group by default this may
121+ lead to new installs of apps sharing the same keychain access group to remove
122+ keychain credentials for apps already installed.
123+
124+ To prevent unintentional credential removal, you can explicitly list the
125+ typical default access group (or whatever you prefer so long as it is not
126+ shared) in your list first. GSI, will then use that default access group.
0 commit comments