iCloud KeySyc is a privacy-focused feature that securely syncs a user’s personalized keyboard learning across all Apple devices through iCloud. Today, when users upgrade to a new iPhone or begin using a new iPad or Mac, the keyboard often loses much of the personalization it has developed over time. Users must re-teach autocorrect, rebuild custom vocabulary, and wait for the keyboard to relearn their typing habits. iCloud KeySync would allow users to move seamlessly between devices while keeping the keyboard experience familiar from day one. Problem Statement Apple’s keyboard becomes more useful over time as it learns: Frequently used words and phrases Personal slang and abbreviations Emoji preferences Autocorrect adjustments Writing patterns and typing habits When users switch devices, much of this personalization is lost or takes time to rebuild. This creates friction during device upgrades and reduces the feeling of continuity within the Apple ecosystem. Proposed Solution iCloud KeySync securely synchronizes keyboard personalization data across Apple devices. The feature would: Learn and store personalized keyboard behavior on-device. Encrypt and sync personalization data through iCloud. Restore keyboard preferences automatically when signing into a new device. Keep keyboard learning consistent across iPhone, iPad, and Mac. Key Features Personalized Vocabulary Sync Synchronizes user-added words, nicknames, slang, and frequently used phrases. Emoji Preference Sync Maintains commonly used emoji patterns across devices. Autocorrect Learning Sync Preserves learned corrections and accepted custom spellings. Typing Behavior Continuity Allows devices to share keyboard learning so users receive familiar suggestions regardless of which Apple device they use. User Controls Enable or disable iCloud KeySync. Reset keyboard learning at any time. View privacy information and storage usage. Privacy and Security Privacy should remain the foundation of the feature. All keyboard learning occurs on-device. Personalization data is end-to-end encrypted. Raw message content is never uploaded. Users retain full control over synchronization settings. Security protections match the standards used by iCloud Keychain. User Benefits New devices feel familiar immediately. Less time correcting autocorrect mistakes. Faster onboarding after device upgrades. Consistent typing experience across the Apple ecosystem. Improved customer satisfaction and retention. Example User Scenario A user upgrades from an older iPhone to a new iPhone. After signing into iCloud and restoring their device, the keyboard immediately recognizes their commonly used phrases, preferred emoji, custom words, and learned typing patterns. The new device feels personalized from the first message typed, without requiring weeks of retraining Business Value Improves the upgrade experience. Strengthens ecosystem continuity. Reinforces Apple’s privacy-first approach to AI and machine learning. Creates a subtle but meaningful quality-of-life improvement for millions of users. Switch phones. Keep your vibe.

Hello everyone, I’m posting here because I’m waiting for an update regarding my Apple Developer Program enrollment. My enrollment currently shows: “Your enrollment is being processed.” My Enrollment ID is: 35QVL65M9K I submitted my enrollment several days ago and I haven’t received any email updates or requests for additional information yet. I wanted to ask if anyone from Apple Support or a community admin could please check my case status, or let me know if anything else is needed from my side to continue the review. If additional documents or verification are required, I’m happy to provide them. Thank you very much for your help.

We recently upgraded OpenSSL from version 1.1.1 to 3.4.0. After this upgrade, we observed that PKCS#12 files generated using OpenSSL 3.4.0 fail to import into the macOS Keychain with the following error: Failed to import PKCS#12 data: -25264 (MAC verification failed during PKCS12 import (wrong password?)) This issue is reproducible on macOS 14.8.2. The same PKCS#12 files import successfully on other macOS versions, including 15.x and 26.x. Additionally, PKCS#12 files that fail to import on macOS 14.8 work correctly when copied and imported on other macOS versions without any errors. PKCS#12 Creation The PKCS#12 data is created using the following OpenSSL API: const char* platformPKCS12SecureKey = _platformSecureKey.has_value() ? _platformSecureKey.value().c_str() : NULL; PKCS12* p12 = PKCS12_create( platformPKCS12SecureKey, NULL, keys, _cert, NULL, 0, 0, 0, 0, 0 ); if (!p12) { throw std::runtime_error("Failed to create PKCS#12 container"); } PKCS#12 Import The generated PKCS#12 data is imported into the macOS Keychain using the following code: NSString *certPassKey = [NSString stringWithUTF8String:getCertPassKey()]; NSDictionary *options = @{ (__bridge id)kSecImportExportPassphrase: certPassKey, (__bridge id)kSecAttrAccessible: (__bridge id)kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, (__bridge id)kSecAttrIsExtractable: @YES, (__bridge id)kSecAttrIsPermanent: @YES, (__bridge id)kSecAttrAccessGroup: APP_GROUP }; CFArrayRef items = NULL; OSStatus status = SecPKCS12Import( (__bridge CFDataRef)pkcs12Data, (__bridge CFDictionaryRef)options, &items );

Hello, I am currently implementing a biometric authentication registration flow using WebAuthn. I am using ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest, and I would like to know if there is a way to hide the "Save to another device" option that appears during the registration process. Specifically, I want to guide users to save the passkey only locally on their device, without prompting them to save it to iCloud Keychain or another device. If there is a way to hide this option or if there is a recommended approach to achieve this, I would greatly appreciate your guidance. Also, if this is not possible due to iOS version or API limitations, I would be grateful if you could share any best practices for limiting user options in this scenario. If anyone has experienced a similar issue, your advice would be very helpful. Thank you in advance.

Using personal physical iPhone for simulations. Can't get Keychain to read or store AppleID name/email. I want to avoid hard reseting physical phone. Logs confirm Keychain is working, but userIdentifier and savedEmail are not being stored correctly. 🔄 Initializing UserManager... ✅ Saved testKeychain to Keychain: Test Value ✅ Retrieved testKeychain from Keychain: Test Value 🔍 Keychain Test - Retrieved Value: Test Value ⚠️ Keychain Retrieve Warning: No stored value found for userIdentifier ⚠️ Keychain Retrieve Warning: No stored value found for savedEmail 🔍 Debug - Retrieved from Keychain: userIdentifier=nil, savedEmail=nil ⚠️ No stored userIdentifier in Keychain. User needs to sign in. 📦 Converting User to CKRecord: Unknown, No Email ✅ User saved locally: Unknown, No Email ✅ User saved to CloudKit: Unknown, No Email Below UserManager.swift if someone can help troubleshoot. Or step by step tutorial to configure a project and build a User Login & User Account creation for Apple Only app. import Foundation import CloudKit import AuthenticationServices import SwiftData @MainActor class UserManager: ObservableObject { @Published var user: User? @Published var isLoggedIn = false @Published var errorMessage: String? private let database = CKContainer.default().publicCloudDatabase init() { print("🔄 Initializing UserManager...") // 🔍 Keychain Debug Test let testKey = "testKeychain" KeychainHelper.shared.save("Test Value", forKey: testKey) let retrievedValue = KeychainHelper.shared.retrieve(forKey: testKey) print("🔍 Keychain Test - Retrieved Value: \(retrievedValue ?? "nil")") fetchUser() // Continue normal initialization } // ✅ Sign in & Save User func handleSignIn(_ authResults: ASAuthorization) { guard let appleIDCredential = authResults.credential as? ASAuthorizationAppleIDCredential else { errorMessage = "Error retrieving Apple credentials" print("❌ ASAuthorization Error: Invalid credentials received") return } let userIdentifier = appleIDCredential.user let fullName = appleIDCredential.fullName?.givenName ?? retrieveSavedName() var email = appleIDCredential.email ?? retrieveSavedEmail() print("🔍 Apple Sign-In Data: userIdentifier=\(userIdentifier), fullName=\(fullName), email=\(email)") // 🔄 If Apple doesn't return an email, check if it exists in Keychain if appleIDCredential.email == nil { print("⚠️ Apple Sign-In didn't return an email. Retrieving saved email from Keychain.") } // ✅ Store userIdentifier & email in Keychain KeychainHelper.shared.save(userIdentifier, forKey: "userIdentifier") KeychainHelper.shared.save(email, forKey: "savedEmail") let newUser = User(fullName: fullName, email: email, userIdentifier: userIdentifier) saveUserToCloudKit(newUser) } func saveUserToCloudKit(_ user: User) { let record = user.toRecord() Task { do { try await database.save(record) DispatchQueue.main.async { self.user = user self.isLoggedIn = true self.saveUserLocally(user) print("✅ User saved to CloudKit: \(user.fullName), \(user.email)") } } catch { DispatchQueue.main.async { self.errorMessage = "Error saving user: \(error.localizedDescription)" print("❌ CloudKit Save Error: \(error.localizedDescription)") } } } } // ✅ Fetch User from CloudKit func fetchUser() { let userIdentifier = KeychainHelper.shared.retrieve(forKey: "userIdentifier") let savedEmail = KeychainHelper.shared.retrieve(forKey: "savedEmail") print("🔍 Debug - Retrieved from Keychain: userIdentifier=\(userIdentifier ?? "nil"), savedEmail=\(savedEmail ?? "nil")") guard let userIdentifier = userIdentifier else { print("⚠️ No stored userIdentifier in Keychain. User needs to sign in.") return } let predicate = NSPredicate(format: "userIdentifier == %@", userIdentifier) let query = CKQuery(recordType: "User", predicate: predicate) Task { [weak self] in guard let self = self else { return } do { let results = try await self.database.records(matching: query, resultsLimit: 1).matchResults if let (_, result) = results.first { switch result { case .success(let record): DispatchQueue.main.async { let fetchedUser = User(record: record) self.user = User( fullName: fetchedUser.fullName, email: savedEmail ?? fetchedUser.email, userIdentifier: userIdentifier ) self.isLoggedIn = true self.saveUserLocally(self.user!) print("✅ User loaded from CloudKit: \(fetchedUser.fullName), \(fetchedUser.email)") } case .failure(let error): DispatchQueue.main.async { print("❌ Error fetching user from CloudKit: \(error.localizedDescription)") } } } } catch { DispatchQueue.main.async { print("❌ CloudKit fetch error: \(error.localizedDescription)") } } } } // ✅ Save User Locally private func saveUserLocally(_ user: User) { if let encoded = try? JSONEncoder().encode(user) { UserDefaults.standard.set(encoded, forKey: "savedUser") UserDefaults.standard.set(user.fullName, forKey: "savedFullName") UserDefaults.standard.set(user.email, forKey: "savedEmail") print("✅ User saved locally: \(user.fullName), \(user.email)") } else { print("❌ Local Save Error: Failed to encode user data") } } // ✅ Retrieve Previously Saved Name private func retrieveSavedName() -> String { return UserDefaults.standard.string(forKey: "savedFullName") ?? "Unknown" } // ✅ Retrieve Previously Saved Email private func retrieveSavedEmail() -> String { return KeychainHelper.shared.retrieve(forKey: "savedEmail") ?? UserDefaults.standard.string(forKey: "savedEmail") ?? "No Email" } // ✅ Sign Out func signOut() { isLoggedIn = false user = nil UserDefaults.standard.removeObject(forKey: "savedUser") print("🚪 Signed Out") } }

Hi Team, I have created multiple certificates for macOS application. Below are the certificates created- Apple Development Certificate DeveloperID Installer Certificate Apple Distribution Certificate others certificates Later, I have imported the all these above certificates in keychain-access. Now, I tried to compile the code through Xcode. I am getting error for code signing certificate. Warning: unable to build chain to self-signed root for signer "Apple Development: Amit (M2WMF2YERI)” .... Command CodeSign failed with a nonzero exit code When I checked the TeamID of User(Amit) I can see that his current TeamID is [P8ZW3W9R2Q]. There is mismatch of teamID in apple development certificate generation. Note- All certificates are generated with current TeamID[P8ZW3W9R2Q] of user (Amit) except Apple Development certificate which has been generated with TeamID [M2WMF2YERI] which is generated with old TeamID of user (Amit). I attempted to generate the apple development certificate multiple times but it is getting generated with old TeamID TeamID[M2WMF2YERI] of user(Amit)
 Summary- While creating a developer certificate using apple developer account and mapping it in keychain, the certificate is being generated with old apple account details (Inactive) instead of the current one. This is causing issues when using the certificate in keychain. If anyone has encountered this issue, how it was resolved?

Hello, I am currently working on implementing credential registration for biometric authentication using WebAuthn in an iOS app. I am using ASAuthorizationPlatformPublicKeyCredentialProvider to create a credential registration request based on the data retrieved from the WebAuthn options endpoint. At the moment, I am only using user.id, user.name, and challenge from the options response, and I am unsure how to utilize the other fields effectively. I would greatly appreciate advice on how to use the following fields: **Fields I would like to use: ** rp (Relying Party) I am retrieving id and name, but I am not sure how best to pass and utilize these fields. Is there an explicit way to use them? authenticatorSelection How can I set requireResidentKey and userVerification in ASAuthorizationPlatformPublicKeyCredentialRegistrationRequest? Also, what are the specific benefits of using these fields? timeout Is there a way to reflect the timeout value in the credential registration request, and what would be the best way to handle this information in iOS? attestation The attestation field can contain values such as none or direct. How should I reflect this in the credential registration request for iOS? I would appreciate a sample implementation or guidance on the benefits of setting this field. extensions If I want to customize the authentication flow using the extensions field, how can I appropriately reflect this in iOS? For instance, how can I utilize extensions like credProps? pubKeyCredParams Regarding pubKeyCredParams, which is a list of supported public key algorithms, I am unsure how to use it to select an appropriate algorithm in iOS. How should I incorporate this information into the request? excludeCredentials I understand that setting excludeCredentials can prevent duplicate registration, but I am not sure how to use past credential information to set it effectively. Any advice on this would be appreciated. **Current Code ** Currently, I have implemented the following code, but I am struggling to understand how to add and configure the fields mentioned above. let publicKeyCredentialProvider = ASAuthorizationPlatformPublicKeyCredentialProvider( relyingPartyIdentifier: "www.example.com" ) let registrationRequest = publicKeyCredentialProvider.createCredentialRegistrationRequest( challenge: challenge, name: userId, userID: userIdData ) let authController = ASAuthorizationController(authorizationRequests: [registrationRequest]) authController.delegate = self authController.presentationContextProvider = self authController.performRequests() In addition to the above code, I would be grateful if anyone could advise on how to configure fields like rp, authenticatorSelection, attestation, extensions, and pubKeyCredParams as well. Furthermore, I would appreciate any insights into the benefits of setting each of these fields in iOS, and any security considerations to be aware of. If anyone has experience with this, your guidance would be extremely helpful. Thank you very much in advance!

I use icloud apps on windows. This image says "Authentication failed". I have done below. Reinstall Logout & Signin About My PC AMD Ryzen 5 5625U AMD Radeon Graphics 8.0GB Memories 256GB SSD Microsoft Windows 11 Version 23H2 (OS Build 22631.4249) (Licensed) About My iPad iPad mini 3 64GB iOS 12.5.7(Latest) Please help me... Maybe this letters has mistakes because I'm Japanese.

Hello, I'll describe an issue I just reported as FB15286954, hoping to see your thoughts on it / what might've gone wrong. Earlier today, I created an account for a website on my iPhone running the release version of iOS 18.0 using Safari, then added 2FA via the Passwords app. I logged in, checked that it works, then closed Safari and did something else (not much on my phone). In the meantime the phone shut down due to low battery. When I charge it again, and open the Passwords app, I come to find out that the verification codes for this website are gone… What could've gone wrong? I was prompted by the website to save a code to check that 2FA was properly configured, so I think I saved it properly in the app (by the way, the password was still there, properly saved). I assume there was a syncing error between iCloud and my iPhone due to low battery? Is there any way to recover the verification codes? I'll try to reclaim the account through the website's support channels, but I'm wondering if I could still retrieve it somehow.

I'm studying sharing through this link. I followed the first steps by changing the bundle identifier of the project, the tests and placing my own container in the config and in the info.plist. https://github.com/apple/sample-cloudkit-zonesharing The app appears and in the log it appears that it has managed to access my iCloud, but when I click on share and share something, the following message appears in the console, on the simulator and on the iPhone: "No options were found, providing default value for access type" "No options were found, providing default values ​​for permissions" "connection invalidated" And finally, when I click on the shared link, the following message appears: "Item unavailable The owner stopped sharing, or you don't have permission to open it."

Hi Team, Exporting the archive through the Jenkins pipeline (executing commands on a Mac EC2 instance as a Jenkins agent) isn't working, while exporting directly from the Mac terminal successfully generates the IPA file. What might be the cause? When we execute it on directly Mac terminal, it asks Keychain password first time & after that it automatically generates IPA file. Note : We are using below working command to open keychain access. security unlock-keychain -p "my_password" /Users/ec2-user/Library/Keychains/login.keychain-db Export command : xcodebuild -exportArchive -archivePath $PWD/build/Archive/MyApp.xcarchive -exportPath $PWD/build/IPA -exportOptionsPlist ../../Dev_exportOptions.plist -allowProvisioningUpdates Current details: Node version : node-v18.17.0-darwin-arm64 Npm version : 9.6.7 Ionic version : 5.2.6 Xcode version : 15.4 Macos : Sonoma 14.6.1

I am a simple mac seller ,i buy broken laptops from people and repair them to sell so one day one my customer asked to show him video of 4 my laptops after he got only video all became iCloud LOCK Summary - my case numbers are 102302104385 + Case Number: 102309395011 my story is simple the customer asked me about video of the Macbook , because as he told me  , he was need a confirmation about how are laptops are looks like   i do not see any suspicious action here  , customer just want me to show him the laptop like online   So i did it - just send him video - and that is all  then he asked to send video about 3 more Macbooks after it he asked me to Use Erase All Content and Settings so i was sure that there will be no problem  - because i just replaced the motherboard    two weeks ago - so what can be wrong    so when i did it - the Macbook asked if the apple server let him activation  and it was refused   Somehow person who get the video about laptop did a copy of a signal that apple laptop send to apple activation server  and connected  it to his apple id  and after it enabled FMI FMD  - but all time my laptops was turned off But i have video confirmation in my cases that all laptops are without any Apple Id and have new and fresh mac os so after it i was not able to pass the activation because i was scammed and unknown person connected 4 my laptops to unknown account , so after that i was not able to pass the activation  so in fact they are all bricked now   he asked me to pay 1000 $ i told apple about it and they  answer me that it is just my fairy tail and it is not possible   i told them that there is a hole in security and identification of apple devices during enabling FMI FMD  but as i see they do not care - i think it must about 100 same cases  or 1000 - maybe after it they will take care about it  so now i wonder if there any more victims who have the same problem  ? or check here at youtube ServisTT also i and apple support did full apple diagnostic about all devices - i want apple to compare mac addresses and other mac information with the signal that was emulated with the scammer to prove my words - because the scammer was at different location and his emulation device or software was different between my original one macbook Steps to reproduce https://www.youtube.com/watch?v=58AgEcZvrYg&t=98s or check here at youtube ServisTT Expected results i want apple to compare mac addresses and other mac information with the signal that was emulated with the scammer to prove my words - because the scammer was at different location and his emulation device was different between my original one also if you find out that he used Hardware UUID - so why not to mask it or hide or make enable to see only with the password 
 Actual results NO ONE TRUST ME AND NO ONE WANT TO HELP ME

Hello Everyone, This is regarding recent upgrade issue on my iPhone. I am still struggling to get access to my iCloud storage data for iMessages, Notes with password, Health related stats, etc. I would like to explain chronology of the entire event. There was a recent IOS 17.4.1 update came on April 07th, 2024. I clicked on the update but nothing happened then suddenly my phone passcode wasn’t working. I restarted my phone then the phone was not even accepting my face id. I went to the Apple store. Apple support team have requested me to reset (erase entire data) iPhone which I had already done on next day. I had no others options actually. My phone passcode was not working in reality due to iso update because I haven’t changed my passcode since more than a year. It is also not due to iPhone screen issue which apple team was saying to me initially. Unfortunately, my Apple ID credentials wasn’t working after phone reset so I had to put my Apple ID on recovery mode which took almost 15days to recover even though process is automated as per apple support team which they can’t reduce it. I understand that they are doing for privacy reason but who wants such privacy when even owner can’t access his own account for 15days. I offered them to verify my personal details such as email ID, phone number, passport number and any other details which they can use to expedite the process but they didn’t help on this. At end of the recovery (after 15days), they used same details i.e. my email ID and SMS on my registered number to verify. I don’t understand their logic but if they can take 2-3 business working days for same process then it makes sense to wait rather than 15days. After I regained access to my apple id, I have restored everything using my iCloud storage. I observed that few applications such as contacts, WhatsApp, etc. are restored properly but some of the applications such as iMessage, Notes (specifically locked notes), health data were not restored. iMessage are not synchronizing with iCloud storage when I tried to do it manually too in setting >> apple id>> iCloud >> show all >> messages in iCloud >> sync now. Nothing happens after clicking on it. Locked notes are still showing an error message “Can’t view Note. ‘This note can’t be viewed because encryption key wasn’t found in iCloud keychain. Resetting your end-to-end encrypted data can cause this’”. I have never used custom password to lock note instead I was using Face ID earlier to lock or unlock some of notes. All these things are happening because it is asking for old iPhone passcode to connect with iCloud storage while resetting my iPhone. I am trying to enter all the previous passcodes. a. When I entered correct passcode, then there is no error but still applications are not synchronizing with iCloud storage. b. When I enter incorrect passcodes (multiple passcodes but one at a time) then it gives an error “Verification failed”. It means it is detecting correct passcode as per above point. There is some issue with passcode synchronization with iCloud storage. I have opened a case with apple support team but meanwhile If any one of you had faced similar problem, then kindly suggest ways to me so I will regain access to some important personal information which are present in my iCloud storage. I would like to inform everyone that don’t rely completely on single brand or product. Take multiple backups may be on personal laptops, SSDs, etc. I learnt a lesson that even apple products, software & services are not reliable so think before buying costly products just for sake of brand name.

get the password from keychain, encountered an exception， password lost and the reason of the exception is Error Domain=com.samsoffes.sskeychain Code=-25300 ", I want to know why this happens and the possibility of it

i want to make some changes in the keychain system but the option is disable, i have already tried to make some changes in the icloud settings, lock and unlock, and restart the mac. thanks for the help, im looking for always enable codesign because this alert is shown too many times

Добрый день! Я создал аккаунт на Alibaba.com с помощью AppleID, при регистрации был выдан подменный адрес почты @privaterelay.appleid.com, при попытке подтвердить почту, письма не пересылаются на мою основную почту.

I can't import into keychain. I can't drop and drag. I have it turned on in iCloud. I tried creating a second keychain and it still doesn't work.

I am new. I inherited a half finished app. I successfully finished it in flipabit and got the app into Google Play with no problem. I am having a horrible time with Apple. The app had been rejected so many times by Apple, I decided that I would create a total new bundle.I have the Cert for signing, the mobile provision key, the Apple Distribution.cer , and an authorization key. I can't import any of them into keychain. I am thinking that that all these were created by someone else for the original app and I can't import any of mine, though that really doesn't make sense. Any and all ideas would be truly appreciated. I have been looking into upworkk to have someone do this for me but I am wondering how in the world they could do that.

When trying to build an AR app to my Iphone 11 with Xcode (13.2.1) using Mac OS 12.1 the build fails. Codesign wants me to use the Apple Development keychain. No matter which password I use it fails.

Hello, this might not belong to dev forums, but rather support, the reason I'm posting here I seem to have localized problem via Apple logging, partially, and can't believe I can get any prompt answer if asked on discussions.apple.com... ckks data inaccessible and potential data loss what happend I was stupid enough to delete a few key records from iCloud Keychain ("Local Items"), using official /Applications/Utilities/Keychain Access.app ( seems like ephemeral keys / identifiers, ckks, idms and stuff). What was different this time: because the account uses ADP, I might have deleted some end-to-end encryption related material. I was not initially too much upset, as normally "trust" can be reestablished via fresh login. Prerequisite: my account is ADP-enabled. ckks state is waitfortrust which corresponds to what I get from Octagon CLI, later on in the post. is@airstation ~ % /usr/sbin/ckksctl status | head -15 ================================================================================ Global state: CKKS state machine: waitfortrust Active account: (null) CloudKit account: logged in Account tracker: <CKKSAccountStateTracker: <CKAccountInfo: accountStatus=Available, accountPartition=Prod, deviceToDeviceEncryptionAvailability=(account), hasValidCredentials=true, walrus=Could Not Determine>, hsa2: available> Syncing Policy: <TPSyncingPolicy: <TPPolicyVersion: 16, SHA256:/4gt8WFEXCVLYI+C+8/2MiMz6Srv0vpcvlkJ4gkepHQ=>, MacBookAir10,1, userViews: UNKNOWN> Views from policy: yes Reachability: network Retry: <CKKSNearFutureScheduler(zonemodifier-ckretryafter): no pending attempts CK DeviceID: 0B643F9E-AD74-4916-84A4-D3589F0B2061 CK DeviceID Error: (null) Lock state: <CKKSLockStateTracker: unlocked last:now> Attempt to recover using trusted phone number Obviously I just tried to login and waiting for the challenge to be sent to my trusted phone number. This didn't happen and System Settings GUI cannot handle it, doing just nothing. Inspired by prior success: attempt using Octagon Trust CLI Kudos to Apple for opening https://opensource.apple.com/source/Security/Security-59754.80.3/keychain/ which helped me tremendously to make sense of how it works, roughly :) So: previously I used bottled peers data and/or escrow records and recall success in the past with this approach (using recover commands), on the other occasion, had success in a much more simple way, by is@airstation ~ % /usr/sbin/otctl resetoctagon While worked great before Apple introduced ADP, attempt to reset Octagon quite recently for one of my accounts resulted in banning me from reenabling ADP on the account for some 3 months, damn, I understand why you have this feature in place, but srsly, it came hard on me (didn't find workaround for it :) ... and how it failed in a way resembling actual CloudKit bug is@airstation ~ % /usr/sbin/otctl allBottles returns nothing, but this is probably due to I don't have any trusted devices now. Well, this should not be fatal yet, right? Only not this is@airstation ~ % /usr/sbin/otctl fetchAllEscrowRecords fetching escrow records failed: Error Domain=CKErrorDomain Code=15 "CKInternalErrorDomain: 2000" UserInfo={ContainerID=com.apple.security.keychain, NSUnderlyingError=0x6000019e40f0 {Error Domain=CKInternalErrorDomain Code=2000 "(null)" UserInfo={ContainerID=com.apple.security.keychain, CKHTTPStatus=500, RequestUUID=4130264A-AD5A-4970-88EF-622667C6553B, OperationID=682A09E938434541}}, CKHTTPStatus=500, NSDebugDescription=CKInternalErrorDomain: 2000, RequestUUID=4130264A-AD5A-4970-88EF-622667C6553B, OperationID=682A09E938434541} My reversing didn't go that far to judge if it's related to absense of trusted peers or actual bug with CloudKit. Log messages from trustedpeershelperd: fetchViableBottles failed with error: <CKError 0x125636640: "Server Rejected Request" (15/2000); op = 3958A36F3B166393; uuid = 9C6FB698-E677-4B7C-A323-14121908371A; container ID = "com.apple.security.keychain"> fetchEscrowRecords failed with error: <CKError 0x125636640: "Server Rejected Request" (15/2000); op = 3958A36F3B166393; uuid = 9C6FB698-E677-4B7C-A323-14121908371A; container ID = "com.apple.security.keychain"> Is it CloudKit bug? Can I hope for rescuing my data? The sad thing about it, that due to lack of knowledge, I anticipate this can be fatal data loss. E.g. if some part of secret chain was discarded by HSM which I presume is irrecoverable.... I have only partial backup of Cloud Drive. There are Photos which are really important to me, so it would be so nice to get it back. At least if you can answer: if I can safely try resetoctagon this occasion as well, or if disabling ADP might help. @eskimo if there is any chance you could comment, I'd appreciate a lot. Kind regards, Peter