23

I tried to code sign an iOS application, These are the steps that i followed

    security create-keychain -p password ${KEYCHAIN}
    security set-keychain-settings -u -t 300 ${KEYCHAIN}
    security list-keychains -d user -s login.keychain ${KEYCHAIN}
    security import "$1" -k ${KEYCHAIN} -A -P "${PASSPHRASE}" -A >/dev/null
    security unlock-keychain -p password ${KEYCHAIN}

    /usr/bin/codesign -f -s $IDENTITY --keychain $KEYCHAIN --entitlements $ENTITLEMENTS Payload/Test.app

This returned me Codesign returned unknown error -1=ffffffffffffffff via ssh.

If i directly execute the code sign command in the machine, it's successfully signing.

The issue is only in Mac OS Sierra.

Madhu Avinash
  • 933
  • 2
  • 8
  • 27
  • I had this issue because I pressed "Deny" accidentally when Xcode asked me to allow access to Keychain. This has helped me: [Can't run Xcode project on device due to certificate issues](https://stackoverflow.com/questions/46881907/cant-run-xcode-project-on-device-due-to-certificate-issues) (restart the machine!). – Stanislav Pankevich Mar 07 '18 at 12:27

8 Answers8

21

Had the same problem a while ago, adding

security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password ${KEYCHAIN}

solved it for me.

Gereon
  • 17,258
  • 4
  • 42
  • 73
  • 3
    can you please elaborate on what is the issue ? and how did this piece of code solved it ? – Madhu Avinash May 28 '17 at 10:39
  • From my reseach at the time I figured that the issue is related to keychain permissions, and that's what this command fixes: it tells the system that the keychain in question is suitable for code signing. – Gereon May 28 '17 at 10:42
  • I opened a github issue with fastlane at the time, https://github.com/fastlane/fastlane/issues/8797 - maybe some of the info over there helps, even if you're not running fastlane. – Gereon May 28 '17 at 10:44
  • 2
    Thanks for the info, but none of them helped, From the local machine it is able to sign properly but via ssh it is throwing me this error – Madhu Avinash May 28 '17 at 10:56
  • Thanks man had to set some other thing as well with this security list-keychains -d user -s login.keychain ${KEYCHAIN} to security list-keychains -d user -s ${KEYCHAIN} – Madhu Avinash May 29 '17 at 07:42
  • @Gereon I am still facing the same problem via ssh – Madhu Avinash Oct 02 '17 at 17:55
  • For me I was using a temp keychain, i need to do the above but for some reason I also needed to unlock my Default keychain (my login one in this case). Only need for high Sierra, – BooRanger Dec 15 '17 at 11:18
  • 2
    Incase you don't know what ${KEYCHAIN} is, type `security list-keychains` and select one (should be the paths to the login and system keychain files). – Pellet Mar 21 '18 at 04:18
  • This works for me, but I had to sign from a normal GUI terminal at least once before it would work. – Rafael Kitover Feb 25 '19 at 23:26
20

Got the same issue but while archiving directly from Xcode. Sharing the solution in case it helps.

Sometimes, Keychain seems to end up in a corrupted state. Using MacOS Sierra too.

Symptoms :

Relogin needed to access Accounts after restarting Xcode Relogin needed to access Accounts after restarting Xcode

Prompting for password while using Keychain Access for some operations Prompting for password while using Keychain Access for some operations

Keychain Access - Error while accessing login keychain via Change Settings for Keychain ... Keychain Access - Error while accessing login keychain via Change Settings for Keychain ...

What fixes it for me is locking and unlocking (password required) the involved Keychain, login in my case.

Community
  • 1
  • 1
Romano
  • 320
  • 3
  • 5
  • 1
    The locking and unlocking keychain access works for me.. I'm using macOS High Sierra 10.13.1.. The unknown error -1=fffffff is not meaningful Apple : | – Mrye Jan 12 '18 at 09:49
  • Strange bug. I don't recall unlocking my keychain, but it was unlocked. Locking it and it's fine again. – honcheng Jan 19 '18 at 04:47
  • This is the best answer that helped me with my problem and saved a lot of time for me. Thank you, Romano. – Maria Mar 19 '18 at 13:58
  • A picture is worth thousand words. Working . – Surjeet Rajput Jun 28 '18 at 06:59
  • Thanks so much. I was stucked with this for a while. locking/unlocking in KeyChain works. I am using Xcode 9.2, MacOS Sierra 10.12.6 – user3204765 Jul 14 '18 at 11:11
6

I am going to chip in as well as I had to try a few more things than the ones mentioned here: the problem was that keychain doesn't like SSH sessions. I had to execute these in my session to fix it:

security unlock-keychain -p MY_PASS ~/Library/Keychains/login.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k MY_PASS ~/Library/Keychains/login.keychain
security set-keychain-settings ~/Library/Keychains/login.keychain

I've also removed my current certificates system/account certificates by removing my account from XCode (I use fastlane to do building) but I suspect that this shouldn't have impacted it.

Tadas Šubonis
  • 1,570
  • 2
  • 16
  • 21
  • Funny. This fixed my code signing issue, but it broke my Git client. My Mac is a Jenkins slave and now it can't check out source code from Git. Any clue on why this could happen? – Mig82 Apr 23 '18 at 18:10
  • And also please explain how to reverse this command if you can. – Mig82 Apr 23 '18 at 18:41
  • Well, I guess you changed your keystore credentials (MY_PASS) and git client can't use the keystore/keychain anymore. However, I can't explain how to fix that because I've used MacOS just to set up that agent so my experience here is rather... limited. – Tadas Šubonis Apr 24 '18 at 13:43
  • Thanks @TadasŠubonis. Note: If it says username or password is incorrect, then try running the commands without -p parameter and then enter the password when prompted. – Ashwin Sep 19 '18 at 14:44
5

@madhu I have been trying to fix the same issue and found that Access Control for the key associated with the certificate in question was set to "Confirm before allowing access" which didn't work in Jenkins. I modified it (thru Keychain Access gui - Get Info, Access Control) to "Allow all applications to access this item" and my build was successful.

Simon H
  • 71
  • 1
  • 2
  • Thanks, this worked for me. Note that a dialog still came up asking for a password, but then you can say "always". – John Hatton May 17 '18 at 23:43
2

You might have exported some file like p12 from KeyChain, and when OS asked for your root password, and you denied it, then Xcode will code sign error with this info.

If this maybe so, you should repeat the above action, input your password and click allow, and then it will be ok to code sign.

Stephen Rauch
  • 47,830
  • 31
  • 106
  • 135
Dan Lee
  • 101
  • 1
  • 5
2

This happens in a headless build because the prompt for key access cannot be shown or responded to. The solution is to prevent that prompt from showing by granting access to the key in advance.

Open Keychain Access, find the key for your signing certificate (login-> Certificates, then expand the certificate to reveal its key). Right-click on the key and select: Get Info -> Access Control, and select "Allow all applications to access this item".

pmacro
  • 217
  • 2
  • 7
0

I've tried almost all the existing suggestions over the web, none of them helped...

Finally only re-generating the Provisioning Profile (for AdHoc), re-downloading it and placing it to ~/Library/MobileDevice/Provisioning Profiles/ overwriting the existing one saved my life.

By the way, AppStore build was successful all this time, so the issue was definitely in the AdHoc profile itself (pretty strange, since it looked nice by all means).

RAM237
  • 903
  • 11
  • 17
  • Were you facing the same problem that i have posted ?? – Madhu Avinash Sep 03 '17 at 10:48
  • Yep, exactly the same `error -1=ffffffffffffffff` via ssh with no visible reason (I have macOS Sierra 10.12.6). – RAM237 Sep 04 '17 at 08:59
  • Hey, I went through all this stuff again today and found out the following: 1) *.mobileprovision files in `~/Library/MobileDevice/Provisioning\ Profiles/` dir must NOT have `com.apple.quarantine` extended attribute. It is added by default when downloading from Mac through Safari. This is why re-downloading helped me last time, because I tried downloading from Windows and putting on Mac via WinSCP. 2) The `security` command from the answer must be run too. Just last time I did this before Step #1 and it didn't help, and this time running it helped me (because I already did the Step #1 right). – RAM237 Oct 02 '17 at 15:46
  • Btw, presence of this attribute can be checked via `ls -l@` and can be removed with `xattr -d com.apple.quarantine /path/to/file.mobileprovision` – RAM237 Oct 02 '17 at 17:05
  • I have no clue regarding your scenario, but for the problem i posted didn't have any effect with your solution, might be this could be a solution for something else – Madhu Avinash Oct 02 '17 at 17:54
  • @MadhuAvinash , have you tried this https://stackoverflow.com/q/42402434/2518705 ? It should be possible to allow access for codesign only, if you don't want to make it available for all apps. – RAM237 Oct 03 '17 at 07:32
  • mine is a keychain that is created on the fly and deleted as soon as the signing gets completed – Madhu Avinash Oct 03 '17 at 08:50
0

Even though we installed the right certs in the keychain and the right Provisioning Profile under ~/Library/MobileDevices/Provisioning Profiles.

We may also see 

unknown error -1=ffffffffffffffff

For this error, I tried the below steps to fixed the issue:

  1. Reboot the machine, unlock keychain using "securify unlock-keychain", lock the keychain again
  2. Remove ~/Library/Developer/Xcode/DerivedData folder.
  3. Run carthage bootstrap --platform iOS
  4. Open the source code syncing down workspace, run "xattr -rc ." then open the .xcodeproject file in xcode.
  5. Turned on the automatic signing for each target. Need to login with valid credentials.
  6. Click on the provisioning profile under signing.
  7. unlock the keychain again
  8. Changing the build device to Generic Devices, under Product --> Clean, then Product –> Archive
  9. There will be a keychain access allow showed up, click "Always Allow".
  10. You should make sure the archive is successful then trigger the Jenkins job again.
Its not blank
  • 3,055
  • 22
  • 37