How do you force delete via terminal or keychain access an expired certificate on a Mac OSX environment?
I have followed instructions to use these commands:
$sudo /usr/bin/security find-certificate -a -Z -c "Ricardo" |grep SHA-1
SHA-1 hash: E255796FF19E4BB84C576BF9DF7CDD6D85E5E3E3
SHA-1 hash: EA874FE7A139F7209BE90DDEF52988C5CE046097
SHA-1 hash: 17115A26F95F98B70493015F1BCAFB23AAB051CB
$sudo security delete-certificate -Z 17115A26F95F98B70493015F1BCAFB23AAB051CB /System/Library/Keychains/SystemRootCertificates.keychain
Unable to delete certificate matching "17115A26F95F98B70493015F1BCAFB23AAB051CB"l-0268:~ ricardo$
tried using -c as well:
$sudo security delete-certificate -c -f "Ricardo"/System/Library/Keychains/SystemRootCertificates.keychain
Unable to delete certificate matching
"17115A26F95F98B70493015F1BCAFB23AAB051CB"
Thank you.
Related
I am having an issue with GitHub Actions. When I call productsign the job just hangs. When searching the internet it seems that the job tries to ask the user for a password but I do not get any errors or feedback from the logs. The job just hangs for ever. When run on my own computer everything works as expected and the .pkg is signed.
My step in the workflow is as follows
- name: Build & Sign Installer
run: |
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
(cd fastlane && ./decrypt_secret.sh)
carthage update --use-xcframeworks --platform macOS
bundle exec fastlane set_release_version
bundle exec fastlane mac install_certificates
bundle exec fastlane mac build_main_app
bundle exec fastlane mac build_updater
bundle exec fastlane mac build_installer
(cd installer && productsign --sign <identity> app-1.0.0.pkg app-1.0.0-signed.pkg)
I have tried a lot of different solutions, but nothing works
security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -A
security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -T /usr/bin/productsign
Setting partition list using security set-key-partition-list
creating a new keychain / unlocking keychain
Switched to use the --sign param on productbuild (also hangs when --sign added)
Manually imported the certificate without fastlane match at all
I think any other solution found on google
Any ideas? Is this a bug in GitHub Actions?
Ok, we finally figured it out. The solution is to create tmp keychain, set its as default and configure some attributes. This makes sure codesign and productsign can access it without being prompted for a password.
Setup Tmp Keychain
# default again user login keychain
security list-keychains -d user -s login.keychain
# Create temp keychain
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
# Append temp keychain to the user domain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)
# Remove relock timeout
security set-keychain-settings "$MY_KEYCHAIN"
# Unlock keychain
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
# Add certificate to keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"
# Enable codesigning from a non user interactive shell
security set-key-partition-list -S apple-tool:,apple:, -s -k $MY_KEYCHAIN_PASSWORD -D "${IDENTITY_CERTIFICATE}" -t private $MY_KEYCHAIN
Clean up Keychain
# Delete temporary keychain
security delete-keychain "$MY_KEYCHAIN"
# default again user login keychain
security list-keychains -d user -s login.keychain
Brief
I attempted to generate a SSH key for my Github on a Macbook Pro. Yet I encountered the 'Enter PIN for authenticator' issue when I progressed to the step of adding it to the ssh-agent. The bizarre asking is from the following command:
$ ssh-add -K ~/.ssh/id_rsa
Enter PIN for authenticator:
which I totally have no idea what I should type into for this asking. Yet as I typed with the following command, everything just worked as this page revealed.
$ /usr/bin/ssh-add -K ~/.ssh/id_rsa
Identity added: /Users/${user_name}/.ssh/id_rsa (your_email#example.com)
Why there exists this kind of difference ? What exactly you need to type for the asking of 'Enter PIN for authenticator:' ?
Some Info
version information
$ ssh -V
OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020
$ sw_vers -productVersion
10.15.6
I generated the key with the ed25519 algorithm.
If you use this command
$ ssh-add -K ~/.ssh/id_rsa
you will be asked to enter the PIN for authentication
so instead of that use
$ ssh-add ~/.ssh/id_rsa
You have a second (Brew-installed?) ssh-add in your shell's $PATH which is not the same as the Apple version. In the Apple version -K stores the password in your keychain, so you don't have to type it every time. In the non-Apple version -K "Loads resident keys from a FIDO authenticator."
The ssh-add at:
/usr/bin/ssh-add
is the Apple provided one, and will work with -K.
Update for macOS Monterey (v12)
The -K and -A flags are deprecated and have been replaced by the --apple-use-keychain and --apple-load-keychain flags, respectively.
I have seen on - https://www.ssh.com/academy/ssh/add and found that if we use -'k' (small k) then it is asking about passpharase what I added during ssh key generaion.
for instance my passphrase while creating ssh key was - Pass#123#
after that when i exeute command -
$ssh-add -k ~/.ssh/id_rsa
Enter passphrase for ~/.ssh/id_rsa: (typed here - Pass#123# and press enter)
Identity added: ~/.ssh/id_rsa (xxxxxxx#xxxx.com)
as specified by the man ssh-add page, the -K option is:
-K Load resident keys from a FIDO authenticator.
so you basically tell it to use an authenticator.
I'm trying to create a simple Makefile command in order to install self-signed certificate for local development of an Angular app.
When I do this manually (by double-clicking on the certificate file, then opening a detail of it and setting everything to Always Trust) it works perfectly. On the other hand, the following command should do the same without any manual action, and as a matter of fact, it does (at least I couldn't find any difference in certificate details).
security add-trusted-cert -d -r trustRoot -k "/Users/${USER}/Library/Keychains/login.keychain" certificates/local.angular.domain.crt
I also tried it with a sudo command (the only difference when using sudo is that it doesn't open the native popup for password, which I prefer as the user can authenticate using a fingerprint).
Here's my whole Makefile command
install-certificate:
# generate certificate
git clone https://github.com/RubenVermeulen/generate-trusted-ssl-certificate.git
cd generate-trusted-ssl-certificate && \
sed -i.backup 's/CN.*/CN = local\.angular\.domain/g' ./openssl-custom.cnf && \
sed -i.backup 's/DNS\.1.*/DNS\.1 = \*\.local\.angular\.domain/g' ./openssl-custom.cnf && \
sed -i.backup 's/DNS\.2.*/DNS\.2 = local\.angular\.domain/g' ./openssl-custom.cnf && \
bash generate.sh
mkdir -p certificates
mv generate-trusted-ssl-certificate/server.key certificates/local.angular.domain.key
mv generate-trusted-ssl-certificate/server.crt certificates/local.angular.domain.crt
rm -rf generate-trusted-ssl-certificate
# add certificate as trusted
security add-trusted-cert -d -r trustRoot -k "/Users/${USER}/Library/Keychains/login.keychain" certificates/local.angular.domain.crt
grep -qxF '127.0.0.1 local.angular.domain' /etc/hosts || sudo -- sh -c "echo '127.0.0.1 local.angular.domain' >> /etc/hosts"
# clear DNS cache
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
This should be relatively easy to replicate as it generates the certificate itself and cleans up afterwards. Might be worth mentioning that the angular app runs on port 4200 (https://local.angular.domain:4200) which works smoothly when certificate is added manually. When added by the above command it shows the NET::ERR_CERT_AUTHORITY_INVALID. When I opened both certificates' details in chrome - they are the same. Thank you for any advice.
The web server needs the certificate as well as the associated private key.
But it looks like the command security add-trusted-cert does not import the private key (the .key file). You should consider using security import.
When I ssh macbook as root user and run
security find-identity -p codesigning -v`
I get
0 valid identities found
But when I run the following directly on the macbook
security find-identity -p codesigning -v
It shows all identities.
I read this SO question but still can't solve it.
how can I show all identities with ssh on macbook.
I find that you should login to the remote machine with a ssh private key, just like ssh -i /path/to/your/id_rsa root#remote.com. Then you can have permission to access all security data.
I have generated a certificate in pfx format in Mac os X and imported it into system keychain using:
sudo security import server.pfx -k /Library/Keychains/System.keychain -P foobar
The problem is that all trusts are set to no value specified.
How can I set trust for code signing to Always trust using command line.
Here's what worked for me, it's very close to that traveling beard's answer. I'm using trustAsRoot instead of trustRoot.
With this change, in the Keychain Viewer, my cert now has "Always Trust" set. When I used trustRoot, the cert is added but with "Use System Default" set and the system default is to Never Trust.
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain <certfile>
NOTE: The sudo will prompt for a password on the commandline and the gui will also prompt.
Nice, now I can import a dev cert on the command line with only a sudo passwd and not have to open that GUI!!
The -p option may be what you need. It can be specified more than once for each of the settings. I wish I knew how to deny one specific item while trusting another all in the same line.
sudo security add-trusted-cert -d -r trustRoot -p [option] -k /Library/Keychains/System.keychain <certificate>
-p options are ssl, smime, codeSign, IPSec, iChat, basic, swUpdate, pkgSign, pkinitClient, pkinitServer, timestamping, eap