I am having an issue with GitHub Actions. When I call productsign the job just hangs. When searching the internet it seems that the job tries to ask the user for a password but I do not get any errors or feedback from the logs. The job just hangs for ever. When run on my own computer everything works as expected and the .pkg is signed.
My step in the workflow is as follows
- name: Build & Sign Installer
run: |
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
(cd fastlane && ./decrypt_secret.sh)
carthage update --use-xcframeworks --platform macOS
bundle exec fastlane set_release_version
bundle exec fastlane mac install_certificates
bundle exec fastlane mac build_main_app
bundle exec fastlane mac build_updater
bundle exec fastlane mac build_installer
(cd installer && productsign --sign <identity> app-1.0.0.pkg app-1.0.0-signed.pkg)
I have tried a lot of different solutions, but nothing works
security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -A
security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -T /usr/bin/productsign
Setting partition list using security set-key-partition-list
creating a new keychain / unlocking keychain
Switched to use the --sign param on productbuild (also hangs when --sign added)
Manually imported the certificate without fastlane match at all
I think any other solution found on google
Any ideas? Is this a bug in GitHub Actions?
Ok, we finally figured it out. The solution is to create tmp keychain, set its as default and configure some attributes. This makes sure codesign and productsign can access it without being prompted for a password.
Setup Tmp Keychain
# default again user login keychain
security list-keychains -d user -s login.keychain
# Create temp keychain
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
# Append temp keychain to the user domain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)
# Remove relock timeout
security set-keychain-settings "$MY_KEYCHAIN"
# Unlock keychain
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
# Add certificate to keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"
# Enable codesigning from a non user interactive shell
security set-key-partition-list -S apple-tool:,apple:, -s -k $MY_KEYCHAIN_PASSWORD -D "${IDENTITY_CERTIFICATE}" -t private $MY_KEYCHAIN
Clean up Keychain
# Delete temporary keychain
security delete-keychain "$MY_KEYCHAIN"
# default again user login keychain
security list-keychains -d user -s login.keychain
Related
This is somewhat of a duplicate of security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission and After set-key-partition-list codesign still prompts for key access
Where the problem is the same but none of the solutions works. "solutions" described here:
https://developer.apple.com/forums/thread/132458
in particular,
security set-key-partition-list -S apple-tool:,apple: -s -k <keychain password> <keychain name>
seems to work for many but for me it just lists the keychains and attributes for example:
keychain: "/Users/me/Library/Keychains/login.keychain-db"
version: 512
class: 0x0000000F
attributes:
// attributes
when I run the code sign command:
codesign -s <cert> --force --timestamp --options runtime --entitlements <entitlements>
the prompt still appears.
How can I get this prompt to not appear? I need this solution to also work in Github actions so I can't just click "Always allow"
I'm trying to create a simple Makefile command in order to install self-signed certificate for local development of an Angular app.
When I do this manually (by double-clicking on the certificate file, then opening a detail of it and setting everything to Always Trust) it works perfectly. On the other hand, the following command should do the same without any manual action, and as a matter of fact, it does (at least I couldn't find any difference in certificate details).
security add-trusted-cert -d -r trustRoot -k "/Users/${USER}/Library/Keychains/login.keychain" certificates/local.angular.domain.crt
I also tried it with a sudo command (the only difference when using sudo is that it doesn't open the native popup for password, which I prefer as the user can authenticate using a fingerprint).
Here's my whole Makefile command
install-certificate:
# generate certificate
git clone https://github.com/RubenVermeulen/generate-trusted-ssl-certificate.git
cd generate-trusted-ssl-certificate && \
sed -i.backup 's/CN.*/CN = local\.angular\.domain/g' ./openssl-custom.cnf && \
sed -i.backup 's/DNS\.1.*/DNS\.1 = \*\.local\.angular\.domain/g' ./openssl-custom.cnf && \
sed -i.backup 's/DNS\.2.*/DNS\.2 = local\.angular\.domain/g' ./openssl-custom.cnf && \
bash generate.sh
mkdir -p certificates
mv generate-trusted-ssl-certificate/server.key certificates/local.angular.domain.key
mv generate-trusted-ssl-certificate/server.crt certificates/local.angular.domain.crt
rm -rf generate-trusted-ssl-certificate
# add certificate as trusted
security add-trusted-cert -d -r trustRoot -k "/Users/${USER}/Library/Keychains/login.keychain" certificates/local.angular.domain.crt
grep -qxF '127.0.0.1 local.angular.domain' /etc/hosts || sudo -- sh -c "echo '127.0.0.1 local.angular.domain' >> /etc/hosts"
# clear DNS cache
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
This should be relatively easy to replicate as it generates the certificate itself and cleans up afterwards. Might be worth mentioning that the angular app runs on port 4200 (https://local.angular.domain:4200) which works smoothly when certificate is added manually. When added by the above command it shows the NET::ERR_CERT_AUTHORITY_INVALID. When I opened both certificates' details in chrome - they are the same. Thank you for any advice.
The web server needs the certificate as well as the associated private key.
But it looks like the command security add-trusted-cert does not import the private key (the .key file). You should consider using security import.
How do you force delete via terminal or keychain access an expired certificate on a Mac OSX environment?
I have followed instructions to use these commands:
$sudo /usr/bin/security find-certificate -a -Z -c "Ricardo" |grep SHA-1
SHA-1 hash: E255796FF19E4BB84C576BF9DF7CDD6D85E5E3E3
SHA-1 hash: EA874FE7A139F7209BE90DDEF52988C5CE046097
SHA-1 hash: 17115A26F95F98B70493015F1BCAFB23AAB051CB
$sudo security delete-certificate -Z 17115A26F95F98B70493015F1BCAFB23AAB051CB /System/Library/Keychains/SystemRootCertificates.keychain
Unable to delete certificate matching "17115A26F95F98B70493015F1BCAFB23AAB051CB"l-0268:~ ricardo$
tried using -c as well:
$sudo security delete-certificate -c -f "Ricardo"/System/Library/Keychains/SystemRootCertificates.keychain
Unable to delete certificate matching
"17115A26F95F98B70493015F1BCAFB23AAB051CB"
Thank you.
I have generated a certificate in pfx format in Mac os X and imported it into system keychain using:
sudo security import server.pfx -k /Library/Keychains/System.keychain -P foobar
The problem is that all trusts are set to no value specified.
How can I set trust for code signing to Always trust using command line.
Here's what worked for me, it's very close to that traveling beard's answer. I'm using trustAsRoot instead of trustRoot.
With this change, in the Keychain Viewer, my cert now has "Always Trust" set. When I used trustRoot, the cert is added but with "Use System Default" set and the system default is to Never Trust.
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain <certfile>
NOTE: The sudo will prompt for a password on the commandline and the gui will also prompt.
Nice, now I can import a dev cert on the command line with only a sudo passwd and not have to open that GUI!!
The -p option may be what you need. It can be specified more than once for each of the settings. I wish I knew how to deny one specific item while trusting another all in the same line.
sudo security add-trusted-cert -d -r trustRoot -p [option] -k /Library/Keychains/System.keychain <certificate>
-p options are ssl, smime, codeSign, IPSec, iChat, basic, swUpdate, pkgSign, pkinitClient, pkinitServer, timestamping, eap
I need to add a .keychain file to my keychains search list for some automated build tools. Currently I'm using security list-keychains command:
list-keychains [-h] [-d user|system|common|dynamic] [-s [keychain...]]
Display or manipulate the keychain search list.
This command let's you set the entire keychain search list, but it does not provide a way to simply add another keychain. So adding a keychain becomes a 2 step process.
Run list-keychains and parse the output
Then do something like list-keychains -s ${existing_chains} ${new_keychain}
While this works, it seems overly complicated and introduces a race condition.
Also it seems like open my.keychain will add it to the search list, but I tend to avoid using commands like open in scripting or headless environments.
Is there a simpler or better way to add a keychain to the search list?
A one line version of #mles solution above:
security list-keychains -d user -s $(security list-keychains -d user | sed -e s/\"//g) <new keychain>
The issue with directly piping in the output of security list-keychains -d user is it surrounds the results with quotes. Solution uses sed to strip them out.
It's 2017 and on macos 10.12.4 security create-keychain still does not add a new keychain to the search list. Here's my script to add and destroy temporary keychains step by step:
#!/bin/bash -e
uuid="$(uuidgen)"
echo "New Keychain name: $uuid"
keychains=$(security list-keychains -d user)
keychainNames=();
for keychain in $keychains
do
basename=$(basename "$keychain")
keychainName=${basename::${#basename}-4}
keychainNames+=("$keychainName")
done
echo "User keychains on this machine: ${keychainNames[#]}";
read -p "Enter to create keychain"
security -v create-keychain -p test123 $uuid
read -p "Enter to add keychain to searchlist"
security -v list-keychains -s "${keychainNames[#]}" $uuid
read -p "Enter to unlock keychain"
security -v unlock-keychain -p test123 $uuid
read -p "Enter to import certificate"
security -v import build-assets/certficate.p12 -k $uuid -P certificate_password
read -p "Enter to delete keychain"
security -v delete-keychain $uuid
Which automated tools are you using? I had a similar problem with building for iPhone using Jenkins under tomcat. I tried adding keychains in the shell script but it proved very flakey at best.
In the end, I worked around the problem by switching our build process to be running via LaunchAgents instead of LaunchDemons. This way the build tools run in the user context and things have become lot more reliable.
Is this a possibility for you? If so, I can provide more detail.
There is NOT a better way that I'm aware of - however it appears that maybe create-keychain will do what you want:
security create-keychain -h
returns:
Usage: create-keychain [-P] [-p password] [keychains...]
-p Use "password" as the password for the keychains being created
-P Prompt the user for a password using the SecurityAgent
Use of the -p option is insecure
Create keychains and add them to the search list.