21

I am trying to run an automated xcodebuild on Jenkins, but I am running into the error

User interaction is not allowed. Command /usr/bin/codesign failed with exit code 1

I have already referenced "User interaction is not allowed" trying to sign an OSX app using codesign and other similar threads, but none of the solutions seem to properly remedy the error.

Here is what I've already tried:

  • I have allowed all items to access the keychain, and I have specifically added codesign to the "always allow" list (as done here https://stackoverflow.com/a/22637896)

  • I have set the keychain to not automatically lock with a timeout, both through Keychain Access's settings, and through the command

    security set-keychain-settings -t 3600 -l <KEYCHAIN>

  • I have tried calling

    codesign --sign <CODE SIGN IDENTITY> --force ...

    before the project compiles (more specifically, this solution https://stackoverflow.com/a/20208104), and although this successfully builds the project I don't think that codesigning before compiling is correct or reliable. (edit: this also failed when run from jenkins)

Here are the commands I am executing: 

security unlock-keychain -p <PASSWORD> <KEYCHAIN>
xcodebuild -scheme <SCHEME> -workspace <WORKSPACE> -derivedDataPath <BUILD DIRECTORY> -configuration <CONFIGURATION> "CONFIGURATION_BUILD_DIR=<BUILD DIRECTORY>" "CODE_SIGN_IDENTITY=<CODE SIGN ID>" "PROVISIONING_PROFILE=<PROVISIONING PROFILE>" clean build

Something interesting to note is that building the project on the machine works with the commands above, but trying to run the exact same commands over ssh (and jenkins) causes the error.

Thanks in advance for your help!

Community
  • 1
  • 1
reyes20
  • 211
  • 1
  • 2
  • 4
  • Has jenkins access to `/usr/bin/codesign`? – Opal Oct 21 '14 at 05:23
  • yes it does have access – reyes20 Oct 21 '14 at 16:27
  • No other idea :/ Some time ago is was developing a CI tool for iOS projects and codesigning was a nightmare. – Opal Oct 21 '14 at 16:30
  • 1
    You can find a solution here: http://stackoverflow.com/questions/20205162/user-interaction-is-not-allowed-trying-to-sign-an-osx-app-using-codesign – kazerm Oct 21 '14 at 20:46
  • I mentioned in my post above that I have already tried those solutions. – reyes20 Oct 21 '14 at 21:23
  • 1
    I just solved a similar problem. After trying everything (unlocking, setting timeouts etc) I sudo su into that ssh user and tried to emulate exactly the same flow and eventually a keychain pop up showed up (Allow, Always allow, Deny), after choosing "Always allow" it finally it works now. My setup involves a dumb slave OSX machine which master jenkins (linux) using through ssh to build IOS apps. – Dmitry Fink Dec 19 '14 at 00:34
  • See http://stackoverflow.com/a/20208104/1285846 for another good answer – Danny Schoemann Aug 04 '15 at 15:31

6 Answers6

16

Just in case anyone missed it. The answer in the linked question resolves the issue. Basically you need to run security -v unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN". I run this before the build and the codesign succeeds.

momo
  • 3,404
  • 6
  • 37
  • 66
  • Worked for me, this was only needed if you run as a service for me – Alon Jun 27 '17 at 12:49
  • Use `security list-keychains` to figure out which keychain you want to unlock.Normally it should be `"~/Library/Keychains/login.keychain-db"` – rpstw Sep 30 '19 at 10:53
14

SSH is not supported by Apple to run automated build as they are headless, so running via SSH could be the issue here:

The context provided by LaunchDaemons is not supported for running GUI applications. The SSH service, and the default setup for Jenkins, are both implemented as LaunchDaemons. In earlier versions of Xcode 5 xcodebuild could run tests on the iOS simulator in this context, but that was never a supported configuration, and as you have noted that is no longer working as of Xcode 6.

Unlike LaunchDaemons, LaunchAgents provide a context where you can run GUI applications - if the user is logged in at the time, with a window server / Aqua session. Converting your Jenkins configuration from being a LaunchDaemon to being a LaunchAgent would avoid the reported issue. You can also use launchd for running tests on the iOS simulator from a SSH session, either by crafting a LaunchAgent and manually loading / starting that, or by using "launchctl submit”.

Have you tried using web agent instead?

Michael Loo
  • 598
  • 5
  • 11
  • Spent almost an hour and a half trying to get my build script working by ssh'ing into my build server. Checked in my code and ran the script through the web UI and successful build ... saved me God knows how many more painful attempts. Thanks. – Taz Nov 11 '15 at 10:52
9

Put your keys in the System keychain instead of Login/iCloud/Local Items.

Alistra
  • 5,177
  • 2
  • 30
  • 42
  • This is actually a very good advice, as it does not require exporting passwords to variables, neither finding where the correct keychain resides. – igraczech Mar 11 '16 at 13:45
  • I was hitting the same error, but I was already using the system keychain. Turns out the prompt was for a missing certificate passphrase. It helps to open an interactive session just to see what the prompt is asking for, even if that's not your final solution. – Carl Walsh Nov 19 '20 at 01:22
3

Install the Xcode plugin here: https://wiki.jenkins-ci.org/display/JENKINS/Xcode+Plugin

Choose the option to unlock the keychain and supply the path to the keychain. e.g. ${HOME}/Library/Keychains/login.keychain

Make sure you set the $HOME environment variable. From experience it's just easier to have the machine login as a user just like a developer would.

shim
  • 9,289
  • 12
  • 69
  • 108
Vincil Bishop
  • 1,594
  • 17
  • 21
1

I've been through this problem with Jenkins Xcode plugin.

I just check Unlock Keychain ?

in

Xcode - Code signing & OS X keychain options

to make my build run.

enter image description here

Jan ATAC
  • 1,212
  • 1
  • 18
  • 36
0

The automated build (Jenkins w/remote SSH), which uses productsign, worked well until we upgraded the build box from Yosemite to Sierra.

productsign[4065:51711] Error configuring RSA signing: User interaction is not allowed. (-25308)

We tried different solutions found on SO, but none worked.

Eventually, I fixed it doing following:

  1. Open Keychain, go to Preferences
  2. Click 'Reset my Default Keychain'
  3. Message 'operation not permitted' or similar shows up
    • Error did not make any sense since user is administrator
    • login keychain gets removed, but not re-created.
  4. Logout and login again
    • new login keychain appears
    • productsign works again (through automated build)

Please note our 'Developer ID Installer: ACME, Inc (12345ABCDE)' certificate is in the System keychain.

David Bertrand
  • 311
  • 3
  • 4