How should the keychain option be used for altool?

Question

I'm trying to use the @keychain option with the -p switch in altool in order to load my iTunes Connect password from the keychain:

altool --validate-app -f "${IPA}" -u "redacted" -p "@keychain:?????"

I'm trying to figure out what I need to enter after @keychain:. Everything I try (path of the keychain file, name of the keychain entry, username in the keychain entry) produces the following error:

*** Error: The specified item could not be found in the keychain.

altool supplies the following info about the -p param:

-p, --password  Password. Required if username specified.  Password is read from stdin if one is not supplied.
                May use @keychain: or @env: prefixes followed by the keychain or environment variable lookup name.
                e.g. -p @env:SECRET which would use the value in the SECRET environment variable.

DarkDust · Answer 1 · 2019-06-18T06:59:20.857

Prerequisites:

You need an Apple developer account, obviously. That's AC_USERNAME.
You need a password for that account. If you can have two-factor authentication enabled, you need to create an app-specific password (beyond the scope of this answer). The password is AC_PASSWORD.
The keychain item is going to need a name that is references via altool's @keychain parameter. We call this ITEM_NAME.

In the instructions below, replace AC_USERNAME, AC_PASSWORD and ITEM_NAME with the values you need. Do not type these names verbatim.

Now:

Create a generic password in your keychain.
- You can do so via Keychain Access.app File > New Password Item … . In the Keychain Item Name, enter the name you want for ITEM_NAME, the Account Name is your AC_USERNAME and the AC_PASSWORD goes into the Password field.
- Or you can do it via the command line: security add-generic-password -a "AC_USERNAME" -w "AC_PASSWORD" -s "ITEM_NAME"
In the arguments to altool, you now pass -u AC_USERNAME -p "@keychain:ITEM_NAME" to make it fetch the password from the keychain.
The first time you run altool, you get a security confirmation dialog asking you whether to allow altool to read the password. Enter your keychain password and click on Always allow.

To prevent the security confirmation dialog from appearing, either click on Always allow or modify the appropriate keychain entry. This works like this:

Locate the path to altool by opening a shell and typing xcrun -find altool.
Either use this path as argument -T <path> when creating the password using the security add-generic-password command or:
- Open Keychain Access.app.
- Select the password entry, select the menu File > Get Info (or press Cmd+I or click the ⓘ icon).
- In this dialog, select the Access Control tab and press the + button. A file selection dialog opens.
- Open Finder and select the menu Go > Go to Folder… and paste the path to altool (the directory part, without altool itself, e.g. /Applications/Xcode.app/Contents/Developer/usr/bin/).
- Drag altool to the open panel of Keychain Access and press the Add button.

is possible to avoid the dialog asking for keychain password? (Step 3) I want to automatise the process — RuLoViC, Jun 17 '19 at 22:40
I would need to achieve that using command line, because it is part of automatic build. Is that possible ? — RuLoViC, Jun 18 '19 at 08:23
Which part do you mean with "achieve that"? Using `altool` without the security dialog? That's what my edit was about. — DarkDust, Jun 18 '19 at 08:53
But according to your edit you still need to do some things using Graphical Interface. I cannot do that since it will be part of automatised build — RuLoViC, Jun 18 '19 at 09:25
a) You missed the part about passing `-T ` to `security`. b) If you actually generate a keychain entry _during your automated build_ then you must have the password in plaintext already and should skip the keychain altogether. Just pass the password to `altool` using `-p ` instead of `-p @keychain:`. — DarkDust, Jun 18 '19 at 09:50
Finally I used your solution. Now I have different problem: 2019-06-19 21:41:59.620 altool[35802:70182] *** Error: To use this application, you must first sign in to iTunes Connect and sign the relevant contracts. (1048) Have ever had this problem ? — RuLoViC, Jun 20 '19 at 14:40
@RuLoViC: You probably need to sign in to https://developer.apple.com with that account and confirm all license agreements there. — DarkDust, Jun 20 '19 at 15:03

score 13 · Answer 2 · edited Jun 21 '19 at 21:24

13

The way that worked for me was logging in with the Application Loader itself (check the "Keep me logged in" option) and use the keychain entry of the Application Loader.

So my command looks like this:

altool --validate-app -f APPLICATION.ipa -u my@apple.id -p @keychain:"Application Loader: my@apple.id"

edited Jun 21 '19 at 21:24

Ky -

30,724
51
192
308

answered Oct 31 '16 at 14:48

Noffls

5,397
2
29
36

I opened Xcode's ApplicationLoader, Windows > Sign Out. All was good after I signed in again and checked "[x] Keep Me Signed In". My command line Jenkins build job that uses altool now works again. Thank you! – Ed of the Mountain May 24 '18 at 17:04
1

This probably shouldn't be the accepted answer but it is nonetheless very useful! – nolanw Jul 28 '18 at 04:31

score 5 · Accepted Answer · answered Oct 06 '15 at 18:39

5

The correct usage is to enter the name of the keychain item (not the name of the keychain itself, and not the "Account" field for the keychain item).

My problem was actually related to access control. I had to edit the keychain item in Keychain Access and tweak the Access Control settings to allow altool to see the keychain item.

answered Oct 06 '15 at 18:39

Mike Mertsock

11,825
7
42
75

Would you mind elaborating a bit? I've tried `altool --validate-app -f "${IPA}" -u "redacted" -p "@keychain:iPhone Distribution: Example Company, LLC"` but it's never able to find the identity. I've tried unlocking the keychain and giving full access control with no luck. ` – dhallman Aug 26 '16 at 18:26
Sorry that I wasn't clear about that. I honestly don't remember, and am no longer working on that codebase so I can't check… feel free to edit this question and/or answer if you figure it out. – Mike Mertsock Aug 26 '16 at 19:22
2

After working fine for over a year, it stopped working. The problem was the Access Control as well. For some reason, the Keychain only had the iCloud version of the credentials, where you cannot modify permissions. I ended up making a new entry with the same password, where I could change the Access Control to allow `altool`. – Kenneth May 03 '21 at 07:33

How should the keychain option be used for altool?

3 Answers3

Linked