New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[match] errSecInternalComponent if not possible to prompt for keychain password #15185
Comments
This comment has been minimized.
This comment has been minimized.
It seems like you have not included the output of To make it easier for us help you resolve this issue, please update the issue to include the output of |
Can you tell us a bit about your environment? (see also what the bot posted) |
I don't think the env is that relevant. As I said, I've seen this issue many times over the period of over a year across multiple Fastlane versions, OSX versions, and XCode versions. As far as I can tell this is an XCode - or to be precise The most recent instance of this issue is probably #10589. I think the only thing we can do is at least update the common issues page with explanation of this issue. But anyway, here's And the reproduction is simple:
|
This comment was marked as outdated.
This comment was marked as outdated.
Oh no bot, you're not closing this one. |
This comment was marked as outdated.
This comment was marked as outdated.
You're not even human, you can't tell me what to do. |
Hey I'm facing the same issue. I've tried to create and unlock the keychains. This issue is making the CI flaky and I don't have any foolproof solution from the documentations provided. Somehow I think that the unlock feature is not working, as I can see that the keychain database in Keychain Access still has the locked padlock. At this stage, I'm considering to use a static password (instead of a random password) for creating the keychain and click on Always Allow on the UI once.
|
This comment was marked as outdated.
This comment was marked as outdated.
BEGONE! |
I've similar issue.. |
This just happened to me. My provisioning profiles/certificates expired and I had to nuke them and make new ones (using This issue as well as (closed issue) #8745 helped me resolve it. Thank you very much for your hard work and sharing your info @jakubgs. To (hopefully) resolve this I opened a terminal and executed the fastlane command that my Jenkins server would have run. In this way I was able to see the popup that prompts for a password (see screenshot provided in the "Issue Description" above) and choose "Always Allow". I kicked off a Jenkins build and am waiting now to see if it succeeds without issue. I'm hoping the |
I thought we also have this issue. But after trying to import certificates manually, and setting key partition list it seems it is working. It was just my How I tested this manually, your paths and passwords may vary
and my before_all lane setup (I use Jenkins, and keychain path and password are in env variables after provisioning)
After this, match executed before build_ios_app works on a freshly provisioned machine. Tested this also with a fresh certificate and keychain on my MacBook. MacOs Catalina 10.15, Fastlane 2.140.0, ruby 2.6.3, Xcode 11.1 |
There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Friendly reminder: contributions are always welcome! Check out CONTRIBUTING.md for more information on how to help with |
This comment has been minimized.
This comment has been minimized.
When importing keys list the apps with granted permissions explicitly |
I hit this recently setting up headless cicd environment. I've tried number of suggestions so far including:
the only option working is |
By default headful macOSs already have login.keychain for each user and therefore creating one is no-op. The fact that it helped means that this keychain was missing and therefore creating one is the right thing. |
That doesn't make sense. Keychain is just a file, you can have and use as many as you want. |
And in case I wasn't clear - this needs to be on the Gitlab-CI runner |
In Russian Система |
I see, also found some answer that explain your questions https://stackoverflow.com/questions/69464483/codesign-fails-during-export-using-a-launchd-runner |
I gave it a fresh look today. It works after a bit of manual configuration of the keychains. This is what Fastlane Match should do for us. First, Fastlane Match does not work with custom keychain. Using Second, I admit I have to use the login keychain. I started with a fresh KEYCHAIN_PASSWORD=Passw0rd
KEYCHAIN_NAME=login.keychain
SYSTEM_KEYCHAIN=/Library/Keychains/System.keychain
AUTHORISATION=(-T /usr/bin/security -T /usr/bin/codesign -T /usr/bin/xcodebuild)
sudo security delete-keychain "${SYSTEM_KEYCHAIN}"
sudo security create-keychain -p "${KEYCHAIN_PASSWORD}" "${SYSTEM_KEYCHAIN}"
sudo security list-keychains -s "${SYSTEM_KEYCHAIN}"
curl -s -o $CERTIFICATES_DIR/AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
sudo security import $CERTIFICATES_DIR/AppleWWDRCAG3.cer -t cert -k "${SYSTEM_KEYCHAIN}" "${AUTHORISATION[@]}" I let Fastlane Match import the signing key to the login keychain. I ensure the login keychain is NOT locked and will NOT timeout.
Be sure the search list is correct sudo security list-keychains -s $HOME/Library/Keychains/login.keychain-db /Library/Keychains/System.keychain Then verify the root certificate and your sign key are present
With the above setup - a |
Gitlab CI is where I have had issues and this is directly a result of running it as a LaunchDaemon. I definitely use custom keychains and dynamically created and destroyed ones at that. The central issue is that gitlab-runner as a launch daemon is running in a system context and cannot / will-not see the intermediates if they aren't in the System keychain. Furthermore, it is increasingly difficult to manage certificates across 20+ builders, because things like import are difficult to script. I simplified my life by creating an MDM profile and attaching the certificates. |
Can we continue this discussion somewhere else please.
…On Fri, 7 Oct 2022 at 1:22 pm, Anastasia ***@***.***> wrote:
I pretty sure that i have it all, as i know xcode automatically install
all of them. But i see they in certification center
[image: image]
<https://user-images.githubusercontent.com/60486232/194551981-c560cfad-3644-4b2d-b976-639d4735b9a4.png>
What do you mean this needs to be on the Gitlab-CI runner? Runner runs on
this macmini and use all of it.
—
Reply to this email directly, view it on GitHub
<#15185 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB7CSCDX4CNQK5YFQXASLR3WCAIYNANCNFSM4IL7Z3JA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
what helped us to to add this step to the build script before running fastlane:
|
Use pm2 and be free!!! |
Ok, I have to explain better, for any reason, the daemons can't access user keychain only system keychain, we install pm2 to start task in mac mini at start, task is able to access keychain without problem. |
I seem to have a solution. Ran into this problem today while setting up the new Mac for CI. When you install the certificate first time with match, you just need to supply keychain_password (e.g., as MATCH_KEYCHAIN_PASSWORD env variable). fastlane seems to do all the necessary actions to give codesign access to keychain, but only if you supply password and when you install the certificate. Code that I inspected: fastlane/match/lib/match/utils.rb Line 9 in b4263a2
+SO reference https://stackoverflow.com/questions/54463588/allow-certain-apps-to-access-the-keychain-using-command-line I see a similar answer above: #15185 (comment) But for me with a fresh install (I used tart VM to test setup) it worked just with what I mentioned in this comment. Hope that it helps. |
Do we have to use Here is my Fastfile:
I've tried adding:
I've tried variants of that too: including using just I've also tried adding the following:
None of the workarounds mentioned above seem to work for me, I'm not even sure what to try at this point. |
I stumbled upon this thread after dealing with some code signing issues on my self-hosted GitHub Actions runner. In the interest of helping anyone else that might encounter this issue, here's the story of how I solved it in my case: I was using a fresh install of macOS 12.6.3 on a 13" MacBook Pro mid-2010 (patched using OCLP) and Xcode 14.2, but was always receiving the UI prompt to enter the login keychain password even though I was creating and using a temporary keychain in my This would cause the build to hang at the codesign step of The only thing that worked to bypass the keychain prompt was setting the value of create_keychain(
name: keychain_name,
password: keychain_password,
default_keychain: true, # Needs to be set to true to prevent keychain prompt on self-hosted runner
unlock: true,
timeout: 3600 # 1 hour
) While this did work, it was not an ideal solution since it messes with global keychain state. On a CI, it's not a huge deal, but I didn't really trust it to continue to keep working reliably. Also, it caused my keychains to get switched around when running locally on my development machine, which was a big pain if I forgot to manually go back and set my login keychain to the default. I could have worked around this by using Eventually, I got tired of trying other workarounds and suggestions so I decided to start fresh. I reinstalled macOS, this time macOS 12.6.4 (again using OCLP to get it installed on my older MacBook) and again using Xcode 14.2. However, now I was getting a problem with the I did some more investigation and was unable to recreate the issues when using self-hosted runners installed in VMs using UTM on my M2 Macbook Pro development machine:
Using a VM on my development machine isn't a terrible option for a self-hosted runner, but I didn't want the hassle of needing to remember to start it up when I wanted to get builds processed and shut it down when I wanted to get max battery life. Also, UTM is still somewhat buggy so dealing with it on a daily basis would have been a pain. Luckily Open Core Legacy Patcher So it seems like some of these issues we're encountering could be due to the versions of macOS and/or Xcode that are being used. In my case, it only started working for me on the latest macOS 13.3 and Xcode 14.3 and I pray that it will continue to work reliably for me. 🙏 I should also mention that I was using Fastlane And here is the contents of my default_platform(:ios)
before_all do |lane, options|
# Make sure fastlane is being executing using 'bundle exec' prefix
ensure_bundle_exec()
end
platform :ios do
# Variables available to all lanes
ci_build_number = ENV["BUILD_NUMBER"] ? ENV["BUILD_NUMBER"] : "1" # Defaults to build number "1"
build_directory = ENV["BUILD_DIRECTORY"] ? ENV["BUILD_DIRECTORY"] : ".build" # Defaults to ".build" directory for build artifacts
derived_data_path = "#{build_directory}/DerivedData"
scheme = "MyAppScheme"
target = scheme
qa_build_type = "adhoc"
qa_build_configuration = "QA"
desc "Create QA build"
lane :buildQA do
# Make sure the required environment variables are present
ensure_env_vars(
env_vars: [
"MATCH_PASSWORD", # Decrypts the match repository
"MATCH_GIT_BASIC_AUTHORIZATION" # Base64 encoded GitHub PAT to access the match repository
]
)
# Create a keychain for match to use when installing signing certificates
keychain_name = "fastlane-temp-#{SecureRandom.hex(8)}.keychain-db"
keychain_password = SecureRandom.hex(8)
create_keychain(
name: keychain_name,
password: keychain_password,
default_keychain: false,
unlock: true,
timeout: 3600 # 1 hour
)
# Catch any errors from this point forward so that the temporary keychain can be cleaned up
begin
# Run match to install signing certificates and provisioning profiles
match(
type: qa_build_type,
readonly: true,
keychain_name: keychain_name,
keychain_password: keychain_password,
verbose: true
)
# Set the build number
version_number = get_version_number(target: target)
build_number = ci_build_number
increment_build_number(
build_number: build_number
)
# Build app
output_name = "#{scheme}_#{qa_build_configuration}_#{version_number}_#{build_number}"
gym(
derived_data_path: derived_data_path,
configuration: qa_build_configuration,
scheme: scheme,
clean: true,
output_directory: build_directory,
output_name: output_name,
archive_path: "#{build_directory}/#{output_name}",
verbose: true
)
ensure
# Always clean up the temporary keychain
delete_keychain(
name: keychain_name
)
end
end
end |
I faced a similar issue myself running Running the process manually on the runner was working without any issues. Running the process through On Github Actions was failing. I tried all the answers above and all the combinations possible, without any success. Then I stumbled upon those: And the proposed solution actually works! 🚀 🎉 system('security', 'set-key-partition-list', '-S', 'apple-tool:,apple:', '-s', '-k', '{{ keychain password }}', '{{ keychain name }}') Reverse looking into it here, the solution had already been posted in #14040 by @Katsz on March 2019 Hope this helps :) |
Thank you @ladislas This is indeed what I do when using bash script. Any example on how / where to use this command with fastlane ? |
If I understand correctly I came across an issue with some Mac devices (but not others, smh) running Monterey and up where the If so, you can add an undocumented key to your
|
@Katsz what plist file name you mean? Another thing that we do on self hosted runner is to allow access to keychain items: |
I discussed the
|
@Katsz use launchd with a LaunchDaemons only. Here is a plist file that works for me: GitHub, GitLab, CircleCI |
In our release lane, we have the following:
|
For sure, but if you follow Github's tutorial it will be installed as |
@Katsz You are correct, and this is a mistake in GitHub and GitLab documentation. LaunchAgents are for apps that start at login, i.e. when there is a graphical session started on the machine. It works well for machines sitting on or under your desk, or in a closet not too far away. I am trying to industrialize build pipelines in the cloud. On cloud machines, there is no keyboard and screen attached. You may connect through VNC, but this is not recommended. The recommendation is to never connect to the machine, except for initial installation (and even ...) and take a disk snapshot. LaunchDaemons works well for CICD agents. As someone mentioned, you must just ensure to pass the |
This of course is all becoming much harder because of Apple taking away the ability to remotely administer machines, pushing us into MDM solutions. Although, I am interested in toying around with Dockerized OSX and I'm actively working at building on Linux. |
However, now I am finding I need to restart every so often and rerun on my mac2.metal ec2 instance.
I am doing fastlane tests with one scheme, and fastlane build and testflight with another scheme. Not sure if that is causing the issue, or if there is something new in the later OS version. Any help would be greatly appreciated. |
Issue Description
Fastlane
match
when signing the app with a new certificate fails witherrSecInternalComponent
when run without UI. When run with UI it prompts for password to access the keychain, even if the keychain is unlocked, like so:Command executed
Result:
Details
This has been an issue across multiple Fastlane versions for over a year at least.
I've been fighting with this for few days in status-im/status-mobile#8745 and here are my findings:
match
callscodesign
which requires the Keychain file to be unlocked via UIAlways Allow
when prompted for accessAlways Allow
trick againcodesign
utility does not seem to care if the Keychain file has been unlocked in advancesecurity unlock-keychan
and creating an unlocked keychain with FastlaneAttempted Solutions
I've attempted to create a temporary unlocked keychain as it was suggested in #10589 (comment) and made this:
Which I tried using like this:
But the result is the same. Despite the keychain being already unlocked the
codesign
call still either fails witherrSecInternalComponent
or prompts for password of UI is available.Musings
I understand this might not be an issue with Fastlane itself, but rather with the
codesign
utility. If that is indeed the case than I think it would be prudent to at least publish an explanation of theerrSecInternalComponent
error under https://docs.fastlane.tools/codesigning/common-issues/. Or maybe even include a warning message in Fastlane that would point to this possible cause. I and probably many others have wasted a lot of time trying to figure out this issue.The official Apple documentations means literally nothing:
https://developer.apple.com/documentation/security/1542001-security_framework_result_codes/errsecinternalcomponent
Related Issues
The text was updated successfully, but these errors were encountered: