Summary
flet-secure-storage pins flutter_secure_storage: 10.0.0 in its bundled Flutter pubspec.yaml. That resolves flutter_secure_storage_darwin 0.2.0, which has two macOS bugs — both already fixed upstream — that make secure storage unusable on unsigned / development macOS apps.
The problem on macOS
On macOS, flutter_secure_storage defaults to the data-protection keychain, which requires the keychain-access-groups entitlement (an embedded provisioning profile). Unsigned or unprovisioned apps — including flet run and an unsigned flet build macos — fail every write with errSecMissingEntitlement (-34018).
The documented escape hatch is MacOsOptions(usesDataProtectionKeychain: false), which should route to the login keychain (no entitlement required). In darwin 0.2.0 that option is inert:
- Key-name mismatch — the Dart side sends
usesDataProtectionKeychain, but the Swift side read a differently-cased key and defaulted it to true, so the data-protection keychain was always used regardless of the option.
- A follow-up issue where
kSecUseDataProtectionKeychain was added to the keychain query even when false, still tripping the entitlement.
Net effect with the current pin: there is no way for an unsigned/dev macOS Flet app to persist values — the data-protection path -34018s, and the login-keychain fallback is unreachable.
Already fixed upstream
Verification
I confirmed the fix end-to-end. A flet build macos app, ad-hoc signed (no provisioning profile), with:
[tool.flet.flutter.pubspec.dependency_overrides]
flutter_secure_storage = "10.3.1"
flutter_secure_storage_darwin = "0.4.0"
and MacOsOptions(uses_data_protection_keychain=False) successfully wrote and read back a value from the macOS login keychain — no -34018. With the default pin (darwin 0.2.0) the same app fails. Inspecting the built framework, only the corrected usesDataProtectionKeychain key is compiled in once the override is applied.
Note: flet run uses the prebuilt flet-desktop binary, which bakes the plugin in at release time, so it cannot benefit from dependency_overrides and stays broken until a new flet-desktop binary ships against the newer plugin. A pin bump fixes both flet build and flet run.
Also worth flagging: on macOS, get_availability() returns True even while every write fails with -34018, so it can't be used as a pre-flight check — a write round-trip is the only reliable signal.
Request
Bump flet-secure-storage's flutter_secure_storage pin from 10.0.0 to a current release (latest stable 10.3.1) that resolves flutter_secure_storage_darwin ≥ 0.3.2. This restores OS-backed secure storage for unsigned/dev macOS apps (via the login keychain) without requiring provisioning, and — once a new prebuilt binary ships — fixes flet run too.
Happy to open a PR for the pin bump if that would help.
Environment
flet / flet-secure-storage 0.85.2- macOS (Apple Silicon)
- Pinned
flutter_secure_storage: 10.0.0 → resolves flutter_secure_storage_darwin: 0.2.0
Summary
flet-secure-storagepinsflutter_secure_storage: 10.0.0in its bundled Flutterpubspec.yaml. That resolvesflutter_secure_storage_darwin0.2.0, which has two macOS bugs — both already fixed upstream — that make secure storage unusable on unsigned / development macOS apps.The problem on macOS
On macOS,
flutter_secure_storagedefaults to the data-protection keychain, which requires thekeychain-access-groupsentitlement (an embedded provisioning profile). Unsigned or unprovisioned apps — includingflet runand an unsignedflet build macos— fail every write witherrSecMissingEntitlement(-34018).The documented escape hatch is
MacOsOptions(usesDataProtectionKeychain: false), which should route to the login keychain (no entitlement required). In darwin 0.2.0 that option is inert:usesDataProtectionKeychain, but the Swift side read a differently-cased key and defaulted it totrue, so the data-protection keychain was always used regardless of the option.kSecUseDataProtectionKeychainwas added to the keychain query even whenfalse, still tripping the entitlement.Net effect with the current pin: there is no way for an unsigned/dev macOS Flet app to persist values — the data-protection path
-34018s, and the login-keychain fallback is unreachable.Already fixed upstream
flutter_secure_storage_darwin0.3.0 (fix: align macOS options keys in darwin plugin juliansteenbakker/flutter_secure_storage#1047, merged 2026-02-10)flutter_secure_storageis 10.3.1 stable (11.0.0-beta.1prerelease requiresflutter_secure_storage_darwin: ^0.4.0).Verification
I confirmed the fix end-to-end. A
flet build macosapp, ad-hoc signed (no provisioning profile), with:and
MacOsOptions(uses_data_protection_keychain=False)successfully wrote and read back a value from the macOS login keychain — no-34018. With the default pin (darwin 0.2.0) the same app fails. Inspecting the built framework, only the correctedusesDataProtectionKeychainkey is compiled in once the override is applied.Note:
flet runuses the prebuiltflet-desktopbinary, which bakes the plugin in at release time, so it cannot benefit fromdependency_overridesand stays broken until a new flet-desktop binary ships against the newer plugin. A pin bump fixes bothflet buildandflet run.Also worth flagging: on macOS,
get_availability()returnsTrueeven while every write fails with-34018, so it can't be used as a pre-flight check — a write round-trip is the only reliable signal.Request
Bump
flet-secure-storage'sflutter_secure_storagepin from10.0.0to a current release (latest stable10.3.1) that resolvesflutter_secure_storage_darwin ≥ 0.3.2. This restores OS-backed secure storage for unsigned/dev macOS apps (via the login keychain) without requiring provisioning, and — once a new prebuilt binary ships — fixesflet runtoo.Happy to open a PR for the pin bump if that would help.
Environment
flet/flet-secure-storage0.85.2flutter_secure_storage: 10.0.0→ resolvesflutter_secure_storage_darwin: 0.2.0