I have a cert in a key chain that contains a private key. I'd like to add an application to the access control "white list" for that key. I know how to do this using the graphical key chain tool, but I'd like to do it via the command line as part of an Xcode build script.
From what I can tell the "security" command is the way to manipulate key chains at the command line, but I can't figure out from the man page how I'd go about accomplishing this task.
For completeness, here's exactly what I do in the key chain tool that I'd like to do via the command line:
Click the cert to show its private key.
Right-click the private key and select the "Get Info" menu item.
Click the "Access Control" tab.
Click the "+" button to add an application to the white list.
Select the application (in my case Xcode) and click "Add".
I might also be interested in how to allow access to all applications.
I don't think there is any way from security to do this after the key was imported. However, if you're importing the key for the first time, you can use the -T flag:
-T Specify an application which may access the imported key
(multiple -T options are allowed)
So in my case I was able to do this:
security import my.key -P mypassword -T /usr/bin/pkgbuild
And everything worked!
Disclaimer
I'm honest this is probably not the best place to post this... but I stumbled onto this (and several other) entries with more or less the same problem. See also https://stackoverflow.com/a/34388302/359100. But since I found a solution which could help other people who try to change access control for private key in Keychain via remote session my solution could help...
B/c for me importing via CLI did not work (using -T or -A). I always got that pop regarding access from Keychain.
BTW: If you know a better SO answer where this belongs... please let me know or move it there...
Solution
Create a Keychain on your local machine. E.g. name it apple-development[.keychain]. Add there your private keys and assign necessary access control (best: "Allow all ..."). Now copy that keychain to your remote Mac and add it there via Keychain application (File / Add Keychain...). For CI you maybe do something like this:
security unlock-keychain -p YOUR-KEYCHAIN-PASSWORD "${HOME}/apple-development.keychain"
Related
I would like to set "Restore Previous Session" in Firefox programmatically using user_pref() in a *.js file. What is the key, value pair for this user preference?
Alternatively, is there a way to detect changes to user preferences (e.g., as can be done with with dconf watch / on linux gsettings? I have diff'ed the prefs.js file before and after manually selecting the "Restore Previous Session" in the GUI, but do not see a corresponding change between the prefs.js files.
I resorted to searching the Firefox source code at https://github.com/mozilla/gecko-dev for "Restore previous session" since my typical Google searches were not turning anything up. From the source code results, I was able to infer the correct key/value pair as
user_pref("browser.startup.page", 3);
This was confirmed by http://kb.mozillazine.org/Browser.startup.page after additional Google searching on this key/value pair. (It also showed up in the pref.js diff's but was not obvious due to the key's cryptic name)
Starting in MacOS Sierra, I've started to get this popup periodically from XCode, even after pressing 'Always Allow'.
I've tried deleting the "com.apple.dt.XcodeDeviceMonitor" item in Keychain. This regenerates the key, but doesn't fix the issue.
It's an open discussion topic on the Apple forums, but no one seems to have a solution.
Posting this solution for Xcode 8 because no one else has:
Open Keychain Access.
Search for XcodeDeviceMonitor.
Drag the item to the System Keychain on left.
Enter admin password.
That finally fixes it.
open [keychain access] > type "xcode" in the search area > double click [com.apple.dt.XcodeDeviceMonitor] > click [access control] > select the first option [allow all applications to access this item]
Don't forget to click Save Changes!
hope it helps.
The following worked for me (running macOS 10.12.1 and XCode 7.3).
Note that the problem with other solutions is that they operate on the (temporary) login keychain entry, which is removed when XCode quits, so a solution appears to be to create the entry in the System keychain instead.
I tried using Keychain Access to move the entry from the login to the System keychain but it failed with various obscure errors (e.g. "An error has occurred. Unable to add an item to the current keychain")
Instead, I used the security command to create a new entry in the System keychain that's (almost) identical to the temporary one.
The only difference is the password which I couldn't be bothered to extract (and I'm unsure whether it's important).
Open Terminal, paste and execute the following command (after suitable editing if XCode isn't in the normal location):
sudo security add-generic-password \
-s 'com.apple.dt.XcodeDeviceMonitor' \
-a session-token \
-p anyoldstring \
-T /Applications/Xcode.app \
-T /Applications/Xcode.app/Contents/Developer/Library/Xcode/Tools/XcodeDeviceMonitor \
/Library/Keychains/System.keychain
Disclaimer - my sole objective here was to prevent the annoying alert.
I've no idea whether this will break anything.
You're messing with the System keychain: what could possibly go wrong ?
I reported this to Apple as a bug and after several suggestions the same as some of those mentioned here that didn't work they came back with the following, which has worked:
"Sorry about the trouble. We’ll dig a bit more into this. In the mean time, if you don’t need the iCloud gauge, you can temporarily disable it by doing this:
Go to Terminal.app.
Type this in to enable an User Defaults
defaults write com.apple.dt.Xcode iCloudGaugeDisabled -bool YES
Relaunch Xcode "
This issue has popped up again for me this past fall. I think the issue may stem from the security hole that apple had where the root user account was left un password protected. I reset my password for the root user account (to the same password as it was previously). I didn't notice the relationship at the time, but after reading this support item, I suspected that this could be the issue.
https://support.apple.com/en-us/HT201609
I reset my password for the login keychain (again to the same password) following these steps and the issue has since gone away.
Hope this helps.
When signing an app from an ssh terminal session, I am getting the following error:
productsign[29321:707] SignData failed: CSSMERR_CSP_NO_USER_INTERACTION (-2147415840)
productsign was working until recently.
How do I get around this error?
I solved it by accident - after combing the web for hours - while reproducing the steps when filing an incident report with Apple Support.
From the Mac (as opposed to from an ssh session) the same command generated a popup asking for permission to access the Keychain.
After choosing "Always Allow" the problem went away. Forever.
try to unlock keychain from this terminal:
security -v unlock-keychain -p "<Password>" "/Users/<UserName>/Library/Keychains/login.keychain"
Based on Danny Schoemann's answer and my own research I found complete solution for me:
You really need login to your mac machine using GUI, first time, and sign anything with the certificate that you need. Then you will get request window with available option "Always allow" to use this certificate (or smth like that).
Important: if you need to use productsign with ssh or other console session (like Jenkins), your certificate must by installed into system scope, but not into user scope.
If you need to keep your certificate in user scope, you need to unlock your keychain every time in console session when you need to sign something (as Alex wrote):
security -v unlock-keychain -p "Password" /Users/<UserName>/Library/Keychains/login.keychain"
You may put it into you build script.
Obvious minus of this solution - you need to store your password in some unencrypted script, that is insecure, so I prefer first solution.
You can actually fix this error. When you are in productsign you are using the Developer ID Installer certificate and generally suggests that it doesn't have access to Private key for signing where it fails with this error.
To fix this goto
Keychain Access->Click on the Little Triangle Arrow (>) in front of "Developer ID Installer" certificate under login keychain or your appropriate keychain.
Double click on the Private Key
Click on "Access Control" tab
Select "Allow all applications to access this item"
Now try productsign from commandline again, it should work.
I would like to add an app (STS.app, the SpringSource ToolSuite) to the list of trusted apps for a given password entry within my keychain. The list already contains some apps (svn, Eclipse.app) but I can't add the given STS.app. After I choose that file from the file dialog, the list remains unchanged. I can delete/add other apps, e.g. the mentioned Eclipse.app but not the STS.app. Both files have equal permissions, but STS.app contains the com.apple.quarantine extended attribute. I can manually remove this ext.attribute (why does it ever exists, and why it wasn't removed automatically after the first start after download them via Chrome ???) but the STS.app is still not able to set as trusted app in keychain after that. Any suggestion ?
Kind regards, Dominik
After experiencing the same problem, I created the keychain item manually and that fixed it for me.
Go to your Mac keychain, click the '+' at the bottom, and then enter your SVN URL, friendly name and password.
I got puttyCm, I need to log in to my devices for once and let the putty store it..later i can come and enter automatically with out entering the passwords again?
can u show me the way pls?
in addition,
if one device can be reached thru other devices..how to implement it?
You can follow below procedure (I assume that you have already engaged your puttycm with corresponding putty.exe or equivalent):
Just open any of your desired putty window by telnet or ssh (no need to login)
Right click on that window and click 'Configuration'; a window should pop up for same
In its 'Connection' tab on left side you can see check box called 'Enable Login macro mode'; select that
Now click on the tab 'Login Macro' again on left side; you can see Login / Password etc. fill them correctly (if you want to see the password which you type, you can click an EYE symbol next to it; that makes it visible until clicked again)
Once you login, if you want to enable some 'Post-login command' then check that box too; now you can write commands like 'bash' or 'myscript' etc in those command rows
Click 'OK' and verify by opening new windows (ctrl + u) of same ip addresses
I have not worked with puttycm, but my Putty experience tells me that puttyagent that comes with putty is an answer for your question.
Putty-agent stores any private keys you provide to it and uses them for automated authorization. Private-key can be added by means of standard ssh-agent tools like ssh-add or can be browsed to with GUI.