When signing an app from an ssh terminal session, I am getting the following error:
productsign[29321:707] SignData failed: CSSMERR_CSP_NO_USER_INTERACTION (-2147415840)
productsign was working until recently.
How do I get around this error?
Asked
Active
Viewed 4,851 times
10
Danny Schoemann
- 1,270
- 26
- 41
4 Answers
7
I solved it by accident - after combing the web for hours - while reproducing the steps when filing an incident report with Apple Support.
From the Mac (as opposed to from an ssh session) the same command generated a popup asking for permission to access the Keychain.
After choosing "Always Allow" the problem went away. Forever.
Danny Schoemann
- 1,270
- 26
- 41
-
This could be an issue if you are trying to sign a package and you are accessing the mac machine via ssh. – bikram990 Aug 16 '13 at 09:45
-
@bikram990 -precisely! That's what caused the problem - and is the solution. – Danny Schoemann Aug 19 '13 at 11:21
5
try to unlock keychain from this terminal:
security -v unlock-keychain -p "<Password>" "/Users/<UserName>/Library/Keychains/login.keychain"
lexa-b
- 1,759
- 15
- 15
4
You can actually fix this error. When you are in productsign you are using the Developer ID Installer certificate and generally suggests that it doesn't have access to Private key for signing where it fails with this error.
To fix this goto
- Keychain Access->Click on the Little Triangle Arrow (>) in front of "Developer ID Installer" certificate under login keychain or your appropriate keychain.
- Double click on the Private Key
- Click on "Access Control" tab
- Select "Allow all applications to access this item"
Now try productsign from commandline again, it should work.
Rohit Sharma
- 41
- 2
3
Based on Danny Schoemann's answer and my own research I found complete solution for me:
You really need login to your mac machine using GUI, first time, and sign anything with the certificate that you need. Then you will get request window with available option "Always allow" to use this certificate (or smth like that).
- Important: if you need to use productsign with ssh or other console session (like Jenkins), your certificate must by installed into system scope, but not into user scope.
- Important: if you need to use productsign with ssh or other console session (like Jenkins), your certificate must by installed into system scope, but not into user scope.
If you need to keep your certificate in user scope, you need to unlock your keychain every time in console session when you need to sign something (as Alex wrote):
security -v unlock-keychain -p "Password" /Users/<UserName>/Library/Keychains/login.keychain"You may put it into you build script.
Obvious minus of this solution - you need to store your password in some unencrypted script, that is insecure, so I prefer first solution.
-
1I also had to add the `--keychain` parameter to `productsign`, otherwise it would try to open the login keychain and fail with `CSSMERR_CSP_NO_USER_INTERACTION`. – UrOni Jun 13 '16 at 13:54