Add codesign to private key ACL without Keychain

Asked 21/1, 2011 at 22:29 Answered 25/4, 2014 at 11:40

Solved iphone ios continuous-integration keychain codesign

I'm trying to set up continuous builds/integration for a stable of iPhone apps.

I have:

A dedicated Mac Mini.
A user account named "build"
Hudson set up as a LaunchAgent for build, by dropping a plist in /Users/build/Library/LaunchAgents
- Tried as a system-wide LaunchDaemon running as hudson, but then had no access to the build user's login keychain. Long story, full of heartache.
The system set to automatically login "build" on startup, so that Hudson starts running.

The big problem is codesigning and the Keychain.

We create code on behalf of our clients' developer identities, so we have several developer identities and we will be adding more.

I want to put the Mini in a deep dark room and never look at it, but the first time you build with a developer identity, a GUI dialog pops up asking if you want to always allow codesign to access the developer identity.

Assuming you do, that dialog box modifies the keychain access control list (ACL) so that codesign is allowed.

You can view this by opening Keychain Access, expanding the certificate, selecting the private key, right-clicking, selecting Get Info, and then switching to the Access Control tab. A "virgin" key will only have Keychain Access in its "always allow" application list. One you have used and confirmed in the dialog box will have codesign as well.

This box provides a way to add an application, except you get the standard Finder file picker, which hides Unix folders. There's no way to navigate to /usr/bin/codesign. So it's impossible to add manually!

Does anyone know of a way around this?

I'm aware of one method using the -T switch of "security import" but then you must specify the ACL when you import the key in the first place, so any keys added in the Keychain GUI would have to be tossed and reimported. Not exactly very nice.

Romanism answered 21/1, 2011 at 22:29 Comment(5)

When you say "There's no way to navigate to /usr/bin/codesign" what do you mean by that? /usr/bin/codesign is just a program, if you need to open /usr/bin in finder use "open /usr/bin" – Googol 19/3, 2011 at 3:25

In safari, "vnc://miniName.local" is one way, you could use the machine remotely once per project. Scootklein's solution with applescript looks like it should work. – Cryptonym 22/3, 2011 at 12:50

Nope, the key's Get Info dialog, on the Access Control tab, does not have a method to manually enter "/usr/bin/codesign" - you must click the plus sign button, which gives you a "Finder cleansed" view of the filesystem with no hidden entries (like /usr) displayed from the root of Macintosh HD. However, verifying this led me to another solution... – Romanism 22/3, 2011 at 16:51

A trick I've found to get around those file dialog limitations is to put the folder (/usr/bin) into the Places sidebar, which you can then select from inside the dialog (unless it's a non-standard file dialog) – Vieira 11/7, 2011 at 4:46

the -T doesn't work anyway because the GUI still asks for access to the private key. – Anarchist 9/10, 2012 at 19:42

Normally the "cleansed" version of the file system that the Keychain's Get Info dialog presents to you won't allow you to access the hidden /usr/bin directory, but I found a way around this.

Get normal Finder windows to show all files. If you aren't aware of how to do this, check out this article.
In a normal Finder window, navigate to /usr/bin
Drag bin over to the Places area in the sidebar. Now bin is a shortcut you can access from anywhere.
From within the Keychain's Get Info -> Access Control pane, click the "+" button to open the find application dialog.
Click the bin that is now under the Places on this sidebar.
Navigate to and select codesign.
Click the Save Changes button.

Romanism answered 22/3, 2011 at 16:58 Comment(1)

Normally I would be loathe to mark my own answer as accepted when there are other good, valid answers. The only reason I do so is that the solution I managed to find can be done ahead of time, whereas scootklein's answer is more reactive. – Romanism 28/3, 2011 at 15:13

Just registred to say THANK you very much, David Boike. Great workaround that helped me a lot. But there is a better way to do this.

Open File Dialog press 'Cmd' + 'Shift' + '.'

That combination should toggle visibility of hidden items on file system. If combination was not effective, try to change presentation mode to 'list' or 'grid' and try it again.

Thanks and good luck!

Flee answered 25/4, 2014 at 11:40 Comment(0)

I found a solution by doing an applescript that "Clicks" the "Always Allow" button after having no luck with security or certtool for adding the ACL privileges.

#!/usr/bin/osascript
tell application "System Events"
  tell window 1 of process "SecurityAgent"
    click button "Always Allow" of group 1
  end tell
end tell

Duodenal answered 16/3, 2011 at 18:2 Comment(0)

Ok this took me almost half a day to figure out but I now have it working. I was following this article.

The article shows adding the cert like this with the -A option but this didn't work for me.

security import "ADistribution.p12" -k appledev -f pkcs12 -A -P ""

This question mentioned the -T option which did work for me.

security import "Distribution.p12" -k appledev -f pkcs12 -P "" -T /usr/bin/codesign

Electron answered 26/4, 2013 at 4:6 Comment(0)

Recommended topics

Hot tags