46

I'm configuring automated build server for iOS application project. I've done most of it. Now, it's the final round. The security.

Developer certificate/private key and provisioning profile can be easily installed into Keychain with GUI. But I want to do this via command line to automate even the configuring process. Exporting/importing certificates, private keys, provisioning profiles via command line.

Any recommendations will be very appreciated.

eonil
  • 83,476
  • 81
  • 317
  • 516
  • 4
    Did you ever find a way to install a provisioning profile? I've got the certificate bit nailed but the other bit eludes me still... – jkp Mar 31 '11 at 09:57

3 Answers3

55

The always allow GUI is being triggered because codesign hasn't been given an acl to access your private key. try this:

security unlock-keychain -p <my keychain password>
security import Certificate.p12 -k ~/Library/Keychains/login.keychain -P password -T /usr/bin/codesign

The -T flag tells security to allow codesign to have access to the keys you are importing in Certificate.p12.

ablarg
  • 2,400
  • 1
  • 24
  • 32
  • 7
    Yup, this is what I was looking for as well. I'd like to note that I was running into the error message 'security: SecKeychainItemImport: User interaction is not allowed.' when trying to run the above command. I forgot to unlock my keychain. Doh! Running 'security unlock-keychain' made it work like a charm. – awolf Sep 26 '12 at 01:36
  • This works as expected, but I need a little more... My certificate+key pair is NOT the original Apple thing, but a self-signed certificate we create for our internal developers (we don't want them to have our real private key on their machines). Now here I need also configure the KeyChain to always-trust the certificate. I know how to do it in the GUY, and I also know how to add (import + trust) a trusted certificate via: security add-trusted-cert -k /Library/Keychains/System.keychain -d XXXX.cer --- However, that command doesn't work with .p12 files. Any Idea how I can do this? – Motti Shneor Jul 06 '16 at 07:15
  • Update: as of maOS Sierra, you should probably follow the flow by Ilian Iliev here: http://stackoverflow.com/questions/39868578/security-codesign-in-sierra-keychain-ignores-access-control-settings-and-ui-p – ablarg Mar 15 '17 at 20:34
15

I found hints from: http://lists.apple.com/archives/apple-cdsa/2010/Mar/msg00021.html

The command is security. I'm reading manual page. I'll update this answer later after trial :)

--(edit)--

First, we have to give 'Always Allow' access to the certificates/keys in the Keychain manually once. I don't know how to do this without GUI.

And run the command security unlock-keychain before running build tool for every session. I've used SSH, so I had to execute it once for every login sessions.

eonil
  • 83,476
  • 81
  • 317
  • 516
  • 5
    To give 'Always Allow' access, use the -A switch on `security import` when adding the certificates and keys. – Luke Dec 06 '12 at 23:51
  • 1
    The -A option is not recommended as it allows any application to use these certificates. To be more secure use the `-T /usr/bin/codesign` option described above. This will allow specific applications. See `security import --help` for other options. – atreat Jan 20 '17 at 04:34
3

Install certificate using command line:

security unlock-keychain -p <machine login password>
security import my_certificate.p12 -k ~/Library/Keychains/login.keychain -P my_password -T /usr/bin/codesign

Install mobile provision profile:

The simple way:

#install profiles, will trigger xcode to install the profile
open "my_profile1.mobileprovision"

# wait for xcode to process the request
sleep 3

# shut down xcode (optional)
kill $(ps aux | grep 'Xcode' | awk '{print $2}')

The complex way:

PROVISION_FILE ="my_profile.mobileprovision"

uuid=`security cms -D -i ${PROVISION_FILE } | grep -aA1 UUID | grep -o "[-a-zA-Z0-9]\{36\}"`

cp "$PROVISION_FILE " ~/Library/MobileDevice/Provisioning\ Profiles/$uuid.mobileprovision
Amir.n3t
  • 2,859
  • 3
  • 21
  • 28