After set-key-partition-list codesign still prompts for key access

About

Asked 24/3, 2017 at 14:50 Answered 24/3, 2017 at 14:50

Solved ios macos security keychain macos-sierra

I'm importing a PEM file containing public and private keys for my code signing identity with the following command:

security import "${PEM_FILE}" -k ~/Library/Keychains/login.keychain -T /usr/bin/codesign -T /usr/bin/security

On OS X 10.11 El Capitan I could then codesign without a prompt:

codesign --force --sign "${IDENTITY_HASH}" --timestamp=none `mktemp`

However, as others have mentioned, OS X 10.12 Sierra now requires that you set-key-partition-list after import:

security set-key-partition-list -S apple-tool:,apple: -s -k "${PASSWORD}" ~/Library/Keychains/login.keychain

However, even after set-key-partition-list, I still get a UI dialog asking for permission to access my private key for code signing:

If I click Always Allow, then future codesign calls don't prompt, but I don't ever want that UI dialog to prompt. I want this all to be scriptable.

Why does set-key-partition-list work for other folks, and not for me?

Dustproof answered 24/3, 2017 at 14:50 Comment(0)

In my original import command, I didn't supply a password for my keychain. If I supply a password to the import command, set-key-partition-list prevents the dialog from showing:

security import "${PEM_FILE}" -k ~/Library/Keychains/login.keychain -P "${PASSWORD}" -T /usr/bin/codesign -T /usr/bin/security
security set-key-partition-list -S apple-tool:,apple: -s -k "${PASSWORD}" ~/Library/Keychains/login.keychain

Then codesign doesn't show a dialog. It just works!

codesign --force --sign "${IDENTITY_HASH}" --timestamp=none `mktemp`

Dustproof answered 24/3, 2017 at 14:50 Comment(6)

How do I get the "${IDENTITY_HASH}" for the codesign command? Sorry, I'm new to iOS development... – Dewan 18/7, 2017 at 17:58

security find-identity -v will list all your identities. The IDENTITY_HASH is the 41-character hash listed first. You probably want one with a name starting with iPhone Developer or iPhone Distribution depending on whether you want to sign for development or distribution. – Dustproof 18/7, 2017 at 18:14

Heath Borders, I tried in my local system which is having xcode verison 9.0 and os mac high sierra 10.13, but still confirmation dialog popsup – Hulton 29/11, 2017 at 11:58

I haven't tried it with Xcode 9 yet, and I'm not on High Sierra 10.13 yet. – Dustproof 29/11, 2017 at 16:13

Hey @HeathBorders, I don't understand your answer. The import command's -P is the passphrase for the cert itself, not the password for the keychain. If I enter the keychain password here, it will fail to import because my keychain and .p12 file do not have the same password. – Nedranedrah 1/5, 2018 at 22:26

About -T; $ security import --help; -T Specify an application which may access the imported key (multiple -T options are allowed) – Lewislewisite 19/9, 2018 at 16:39

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags