Login/Register
Keychain won't unlock from Jenkins script unless user logged in
Asked Answered
Solved xcodemacoshudsonjenkinskeychain
H

4

36

I'm running a Jenkins CI server on an OS X machine. The server is running as a standard user 'john', and is started by running launchctl. One of the things this server does is build XCode projects using keys and certificates stored in a keychain 'xcode.keychain':

Jenkins (which is running under the user 'john' according to activity monitor) calls these commands from a script when the user presses a button on the web interface.

security default-keychain -s /Users/john/Library/Keychains/xcode.keychain
security unlock-keychain -p password /Users/john/Library/Keychains/xcode.keychain
xcodebuild ...

If I happen to be logged into the server as 'john' via the UI, the keychain gets unlocked properly when Jenkins calls those commands. But, if I'm not logged in, xcode.keychain doesn't get unlocked and the build fails. Any ideas?

Hardship answered 20/6, 2011 at 19:6 Comment(5)
Moving all the keys and certs into the System.keychain fixed this problem. I'm guessing it has something to do with Jenkins running from launchctl, but still curious why exactly it wasn't working before.Hardship
How exactly did you do this? I tried to replicate your solution, but I still get an error :(Achromatism
YMMV, but I just moved my keys and certs to the system keychain as recommended above and it worked for me.Deterrent
Reason and solution explained here: https://mcmap.net/q/205102/-missing-certificates-and-keys-in-the-keychain-while-using-jenkins-hudson-as-continuous-integration-for-ios-and-mac-developmentHolguin
Dragging the key with certificate to the System keychain worked for me, and doesn't require putting my keychain password in a script, thanks!Voroshilov
T
6

Running Jenkins without launchd works. I used the following command: 

sudo su jenkins -c "JENKINS_HOME=/Users/Shared/Jenkins/Home /Library/Application\ Support/Jenkins/jenkins-runner.sh"
Tapp answered 22/9, 2011 at 18:59 Comment(1)
Running a CI/CD System such as Jenkins with super user do (sudo) seems a bad idea for the security concerns.Gravesend
E
13

I had to:

  1. Right-click on the private key in my keychain that my build process was trying to use
  2. Click "Get Info"
  3. Then the "Access Control" tab.
  4. You can add specific apps (like "codesign") to the list of apps that are allowed access to that key, or just allow access from all applications.

This cleared it up for me.

More info in these comments: https://mcmap.net/q/325420/-running-xcodebuild-from-a-forked-terminal https://mcmap.net/q/325420/-running-xcodebuild-from-a-forked-terminal

Ethology answered 13/3, 2013 at 14:52 Comment(0)
T
6

Running Jenkins without launchd works. I used the following command: 

sudo su jenkins -c "JENKINS_HOME=/Users/Shared/Jenkins/Home /Library/Application\ Support/Jenkins/jenkins-runner.sh"
Tapp answered 22/9, 2011 at 18:59 Comment(1)
Running a CI/CD System such as Jenkins with super user do (sudo) seems a bad idea for the security concerns.Gravesend
U
5

I stumbled upon the exact same issue recently.

security list-keychains -s /Users/john/Library/Keychains/xcode.keychain probably will fix your problem. Let me know if it works.

Recently I found a solution to this over there: Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development

Unpeg answered 18/10, 2011 at 11:21 Comment(0)
H
0

You could try Jenkins.app, an alternative way to run Jenkins. It runs Jenkins in a user session, so Keychain should not be a problem.

Housecoat answered 1/4, 2012 at 22:2 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.