Login/Register
modify per-application access control for private key via command line?
Asked Answered
xcodemacossecuritycommand-linekeychain
O

2

10

I have a cert in a key chain that contains a private key. I'd like to add an application to the access control "white list" for that key. I know how to do this using the graphical key chain tool, but I'd like to do it via the command line as part of an Xcode build script.

From what I can tell the "security" command is the way to manipulate key chains at the command line, but I can't figure out from the man page how I'd go about accomplishing this task.

For completeness, here's exactly what I do in the key chain tool that I'd like to do via the command line:

  1. Click the cert to show its private key.
  2. Right-click the private key and select the "Get Info" menu item.
  3. Click the "Access Control" tab.
  4. Click the "+" button to add an application to the white list.
  5. Select the application (in my case Xcode) and click "Add".

I might also be interested in how to allow access to all applications.

Outbound answered 13/7, 2012 at 14:44 Comment(0)
S
5

I don't think there is any way from security to do this after the key was imported. However, if you're importing the key for the first time, you can use the -T flag:

 -T  Specify an application which may access the imported key 
     (multiple -T options are allowed)

So in my case I was able to do this:

security import my.key -P mypassword -T /usr/bin/pkgbuild

And everything worked!

Spathic answered 1/12, 2012 at 21:14 Comment(1)
this is great, but it doesn't actually answer the question. Provided that I have already imported the private key (along with a certificate associated with it) and now I want to allow my app access to that private-key, programmatically? how can I do it? many times (in corporate environments) the certificates are deployed en-mass in advance, by IT guys, and I only need to let my application use them. How to do that?Minnieminnnie
P
2

Disclaimer

I'm honest this is probably not the best place to post this... but I stumbled onto this (and several other) entries with more or less the same problem. See also https://mcmap.net/q/669034/-having-issue-with-allowing-codesign-to-use-my-keychain. But since I found a solution which could help other people who try to change access control for private key in Keychain via remote session my solution could help...

B/c for me importing via CLI did not work (using -T or -A). I always got that pop regarding access from Keychain.

BTW: If you know a better SO answer where this belongs... please let me know or move it there...

Solution

Create a Keychain on your local machine. E.g. name it apple-development[.keychain]. Add there your private keys and assign necessary access control (best: "Allow all ..."). Now copy that keychain to your remote Mac and add it there via Keychain application (File / Add Keychain...). For CI you maybe do something like this:

security unlock-keychain -p YOUR-KEYCHAIN-PASSWORD "${HOME}/apple-development.keychain"
Plenish answered 24/2, 2016 at 11:57 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.