New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[HowTo] Avoid keychain prompt to allow access to the private key #10589

Closed
nicolasbraun opened this Issue Oct 13, 2017 · 19 comments

Comments

Projects
None yet
9 participants
@nicolasbraun
Contributor

nicolasbraun commented Oct 13, 2017

Issue Description

When using match + gym for the first time the system will ask for authorisation to use the Certificate.
https://i.imgur.com/7oPSD4H.jpg

It is problematic on our CI servers with many slaves and for which developers do not have GUI access.

Tried but failed

I tried using a temp keychain to store match stuff but I still got the prompt , did you guys found a way to do that?

Fastfile extract

  delete_keychain(name: "fastlane_keychain") if File.exist?(File.expand_path("~/Library/Keychains/fastlane_keychain-db"))
  create_keychain(
      name: 'fastlane_keychain',
      password: 'temppassword',
      unlock: true,
      timeout: false
    )
  match(
  ...
    keychain_name: 'fastlane_keychain'
    )
  gym(...)
  delete_keychain(name: 'fastlane_keychain')

Nicolas

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Oct 13, 2017

It seems like you have not included the output of fastlane env

To make it easier for us help you resolve this issue, please update the issue to include the output of fastlane env 👍

@WilliamIzzo83

This comment has been minimized.

WilliamIzzo83 commented Oct 24, 2017

I've got the same problem, this breaks up thing the first time on our building server. Does anyone have a solution?

@ohayon

This comment has been minimized.

Member

ohayon commented Oct 24, 2017

Hey everyone. I believe you should be able to fix this by using these two options:

FastlaneCore::ConfigItem.new(key: :lock_when_sleeps,
                                       description: 'Lock keychain when the system sleeps',
                                       is_string: false,
                                       default_value: false),
FastlaneCore::ConfigItem.new(key: :lock_after_timeout,
                                       description: 'Lock keychain after timeout interval',
                                       is_string: false,
                                       default_value: false),

Let us know if that works for you! 🚀

@MSavisko

This comment has been minimized.

MSavisko commented Oct 28, 2017

@nicolasbraun
I have the same problem.

Not working for me:

  1. Unlock keychain
  2. set-key-partition-list for all items in keychain

@ohayon
changing the state of lock_when_sleeps and lock_after_timeout do not relate to @nicolasbraun question and not helped me.

Any other real suggestion?

@ohayon

This comment has been minimized.

Member

ohayon commented Oct 31, 2017

Hey @MSavisko, apologies that that wasnt working for you, that solution has helped others in the past and even my own configuration on a personal project 😄 . Could you provide a bit more context for the issue youre having? It would be helpful to see the output of your command when it is failing and the method by which you are calling fastlane. Are you using a Fastfile?

@nicolasbraun

This comment has been minimized.

Contributor

nicolasbraun commented Nov 14, 2017

Hi @ohayon @MSavisko

Sorry crazy weeks! Took a while to look.
I realised the keychain created in not called fastlane_keychain but fastlane_keychain-db.
Changed that in the match options and running some tests, will let you know how it goes.

@Felipe-Banno

This comment has been minimized.

Felipe-Banno commented Nov 20, 2017

Im having the same problems. I tried several variations of "fastlane_keychain" and fastlane_keychain-db" without success.

@nicolasbraun Did you fix the issue? If yes, could you please share you solution?

@VincentCATILLON

This comment has been minimized.

VincentCATILLON commented Nov 21, 2017

If anyone has a solution about it, it will helps.
Trying to implement #10651

@nicolasbraun

This comment has been minimized.

Contributor

nicolasbraun commented Dec 14, 2017

Hi sorry for the long time to answer.

First note that adding -dbas stated in my previous comment does not change anything anymore as this has been fixed now

# We also try to append `-db` at the end of the file path, as with Sierra the default Keychain name

I am having a really hard time debugging this. I have inconsistent results on the several slaves I have on my Jenkins and cannot figure a pattern. So I tried on a new slave machine.

  • The keychain is properly created, unlocked.
  • The certificate is imported in the keychain
    screen shot 2017-12-14 at 16 18 44
  • Access to the private key are open for codesign and security
    screen shot 2017-12-14 at 17 01 04
  • First Run Weirdly the prompt asks for the login keychain password (keychain that is empty, and unlocked

screen shot 2017-12-14 at 17 23 39

  • Even more weird if I enter it and Always allows the build goes on
  • On the next runs weirdly it asks for the correct keychain (and access control is not he same)
    screen shot 2017-12-14 at 18 14 44 3

The codesign command uses usr/bin/codesign which is the one autorized in the screenshot.
It is specificaly authorized to avoid this promp

command << " -T /usr/bin/codesign" # to not be asked for permission when running a tool like `gym`

Driving me nuts :)

Also i do not seem to have the issue locally (but only have one setup to test against) so it might be Jenkins related but i do not see how. The user launching the script is the one I am logged with for the screenshots.

I am not familiar with how xcodebuild choose in which keychain to look for the signing certificate. I see that gym does not pass any path/name of keychain maybe we should had the option ? @ohayon do you have any input on that maybe?

Still i don't get why i have a prompt even though my keychain is unlocked.

Something I forgot to mention is that the prompts happens during the
'[CP] Embed Pods Frameworks' build phase.

Here are my last lines of logs

PhaseScriptExecution [CP]\ Embed\ Pods\ Frameworks /Users/slave/Library/Developer/Xcode/DerivedData/Primitive_iOS-fmpstfyalbxbsparvoduprhyhnxj/Build/Intermediates.noindex/ArchiveIntermediates/Primitive_iOS/IntermediateBuildFilesPath/Primitive_iOS.build/Production-iphoneos/Primitive_iOS.build/Script-BDD5F3E9C530D463D230A81C.sh
    cd /Users/slave/Jenkins/workspace/Shaper_iOS
    /bin/sh -c /Users/slave/Library/Developer/Xcode/DerivedData/Primitive_iOS-fmpstfyalbxbsparvoduprhyhnxj/Build/Intermediates.noindex/ArchiveIntermediates/Primitive_iOS/IntermediateBuildFilesPath/Primitive_iOS.build/Production-iphoneos/Primitive_iOS.build/Script-BDD5F3E9C530D463D230A81C.sh
mkdir -p /Users/slave/Library/Developer/Xcode/DerivedData/Primitive_iOS-fmpstfyalbxbsparvoduprhyhnxj/Build/Intermediates.noindex/ArchiveIntermediates/Primitive_iOS/BuildProductsPath/Production-iphoneos/Primitive_iOS.app/Frameworks
Symlinked...
rsync --delete -av --filter P .*.?????? --filter "- CVS/" --filter "- .svn/" --filter "- .git/" --filter "- .hg/" --filter "- Headers" --filter "- PrivateHeaders" --filter "- Modules" "/Users/slave/Library/Developer/Xcode/DerivedData/Primitive_iOS-fmpstfyalbxbsparvoduprhyhnxj/Build/Intermediates.noindex/ArchiveIntermediates/Primitive_iOS/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/ADDynamicLogLevel.framework" "/Users/slave/Library/Developer/Xcode/DerivedData/Primitive_iOS-fmpstfyalbxbsparvoduprhyhnxj/Build/Intermediates.noindex/ArchiveIntermediates/Primitive_iOS/InstallationBuildProductsLocation/Applications//Primitive_iOS.app/Frameworks"
building file list ... done
ADDynamicLogLevel.framework/
ADDynamicLogLevel.framework/ADDynamicLogLevel
ADDynamicLogLevel.framework/Info.plist

sent 313437 bytes  received 70 bytes  627014.00 bytes/sec
total size is 313147  speedup is 1.00
Code Signing /Users/slave/Library/Developer/Xcode/DerivedData/Primitive_iOS-fmpstfyalbxbsparvoduprhyhnxj/Build/Intermediates.noindex/ArchiveIntermediates/Primitive_iOS/InstallationBuildProductsLocation/Applications//Primitive_iOS.app/Frameworks/ADDynamicLogLevel.framework with Identity iPhone Distribution: APPLIDIUM (LL36D6ZV57)
/usr/bin/codesign --force --sign D398B53754539ED9657EB33B19B8F1C153D3AA96  --preserve-metadata=identifier,entitlements '/Users/slave/Library/Developer/Xcode/DerivedData/Primitive_iOS-fmpstfyalbxbsparvoduprhyhnxj/Build/Intermediates.noindex/ArchiveIntermediates/Primitive_iOS/InstallationBuildProductsLocation/Applications//Primitive_iOS.app/Frameworks/ADDynamicLogLevel.framework'

Nicolas

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Jan 28, 2018

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

@fastlane-bot

This comment has been minimized.

fastlane-bot commented Mar 21, 2018

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

@MSavisko

This comment has been minimized.

MSavisko commented Mar 22, 2018

Perhaps on no free time and "Allways allow" workaround, I will check that bug is actual later.

@saitjr

This comment has been minimized.

saitjr commented Mar 22, 2018

I just resolve this problem last week.

security set-key-partition-list -S apple-tool:,apple: -s -k $PASS ~/Library/Keychains/login.keychain-db

@nicolasbraun

This comment has been minimized.

Contributor

nicolasbraun commented Mar 22, 2018

@jgavris

This comment has been minimized.

jgavris commented Mar 22, 2018

FWIW I haven't seen the codesign dialog using the following

def ensure_temp_keychain(name)
  delete_keychain(
    name: name
  ) if File.exist? File.expand_path("~/Library/Keychains/#{name}-db")
  create_keychain(
    name: name,
    password: 'temppassword',
    unlock: true,
    timeout: false
  )
end

...

ensure_temp_keychain 'fastlane_enterprise'
match(
  type: 'enterprise',
  git_branch: CredentialsManager::AppfileConfig.try_fetch_value(:team_id),
  readonly: true,
  keychain_name: 'fastlane_enterprise'
)
@saitjr

This comment has been minimized.

saitjr commented Mar 23, 2018

@jgavris Should delete keychain before running match ?

I have a problem when I match a lot of times laster, keychain has been stuck.

@jgavris

This comment has been minimized.

jgavris commented Mar 23, 2018

@saitjr ensure_temp_keychain always deletes it first, then creates it. It's just making sure it's 'really temporary'.

@saitjr

This comment has been minimized.

saitjr commented Mar 23, 2018

Seems the solution of stuck.

@nicolasbraun

This comment has been minimized.

Contributor

nicolasbraun commented Mar 30, 2018

Thanks for your help, I made a test run and it seems to work with @jgavris solution 🚀
I will test it soon on a fresh new machine

@fastlane fastlane locked and limited conversation to collaborators May 30, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.