iOS: Resigned app cannot access keychain through security API

iOS: Resigned app cannot access keychain through security API

We have an app we are writing for a customer. We compile the app and
deliver an IPA to the customer, who then resigns the app using their
provisioning profiles and keys.
The app works fine until the customer resigns it. Then it fails when
accessing the keychain. We get messages in the device console like this:
... SecItemAdd: missing entitlement
... SecItemCopyMatching: missing entitlement
Logging the return codes we are getting -25308 "Interaction with the
Security Server is not allowed" from all SecItem* calls.
I've not been able to find anyone with this same problem and a solution.
Both the initial builds and subsequent code signings work and the app runs
until it tries to access the keychain. When resigning the customer is
specifying the same app id we originally built it with. I've added and
entitlements file as well.
I have noticed that the app id used in the provisioning profile the
customer is using is different to the id in the app. However the resigning
works and the apps runs so I'm assuming at this point it's not an issue.
So far no luck.
Has anyone had this problem and solved it?