I just got my certificate installed on a Mac OS X 10.7 and wrote a script that runs codesign on a number of files after compiling my project. I created a new keychain and disabled the option for locking it after a certain period of time. It looks like the login keychain. But every time my script runs the codesign command the following error occurs: <filename>: User interaction is not allowed. If I start a shell, unlock the keychain with security unlock-keychain <path> and then run the script manually, it works. The question is how to keep the keychain always unlocked so that my automatic build can sign the files?
Asked
Active
Viewed 3,724 times
3
RegedUser00x
- 2,313
- 5
- 27
- 34
-
how are you unlocking the keychain from your script? and what kind language is the script written? – l'L'l Dec 19 '13 at 12:02
-
I use /bin/sh. I don't unlock it from the script. If I unlock it manually, it asks about the password. I don't want to have my password stored in the script since other people have access to it too. – RegedUser00x Dec 19 '13 at 12:04
-
you can try using `security unlock-keychain -p
`, although consider the security implications of this before using it. basically the problem is that keychain normally only unlocks in an interactive shell. there are some scripts available that can simulate this and run your script that needs to do the codesigning. -
I can't hard-code the password in the script or store it unencrypted on the computer. What are those scripts in question? – RegedUser00x Dec 19 '13 at 12:45
-
there are two that i'm aware of (i'm sure there are many more) — the first being [pexpect](http://www.noah.org/wiki/pexpect#Description_of_Pexpect), and the second being [Jenkins](https://wiki.jenkins-ci.org/display/JENKINS/Meet+Jenkins). If you search for either one you're bound to find an example of what you ultimately need to do (hopefully) :) – l'L'l Dec 19 '13 at 12:53
2 Answers
5
When you use security unlock-keychain -p $PASSWORD $KEYCHAIN the keychain will be unlocked, but, for only 5 minutes, due to an automatic relock. To keep the keychain unlocked permanently you need to use security set-keychain-settings $KEYCHAIN.
For completeness of this answer, I would also recommend that you use security import $CERT -k $KEYCHAIN -P "$CERTPASSWORD" -T /usr/bin/codesign to grant /usr/bin/codesign access to your certificate.
Stephen Quan
- 21,481
- 4
- 88
- 75
-
Does not work for me: security unlock-keychain -p 'my password' "Laszlo Papp" security: SecKeychainUnlock Laszlo Papp: The specified keychain could not be found. - do I have to export from Keychain Access? "Laszlo Papp" works fine for codesign -s "Laszlo Papp", but again, getting the password prompt. – László Papp May 04 '22 at 11:39
-
0
Late reply but as 2022 - Monterey could not get it to run, testing all answers and commands here.
My issue was, the certificates were in the System Toolchain. Looks like in this case there is no way to skip the admin password prompt, even if you lock, unlock, set timeouts ....
Tried moving them from System to login => did not work, there was a private key that did not refresh
Lastly, I used "reset keychain", that deletes everything from local and login keychain. Then I imported the certs again, this time into the login keychain. Restarted the computer and it worked.
A useful command is security find-identity, you can use to display if the moved key to the Login keychain has been detected.
After these steps I can finally sign files without any password prompt.
rupps
- 9,712
- 4
- 55
- 95
-
2You didn't hit Always Allow, did you? I'm trying to get this to work without having to click Always Allow. – NorseGaud Jun 14 '22 at 20:09
-
hmmm... i don´t remember if I did - probably, in any case it never asked again – rupps Jun 21 '22 at 20:42
-
@NorseGaud I'm doing this on my machine and with my keychain unlocked and certificate in the correct keychain it still won't work -> I haven't clicked always allow – ngood97 Jul 12 '22 at 23:03