New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Keychain prompts for permission to use private key regardless of access control settings on sierra #6866

Closed
godrei opened this Issue Nov 4, 2016 · 39 comments

Comments

Projects
None yet
@godrei

godrei commented Nov 4, 2016

New Issue Checklist

Issue Description

Fastlan gym hangs on xcodebuild archive commands.

Keychain prompts for permission to use private key regardless of access control settings on sierra this cases a hang on build servers when tools calling codesign tool, like signing an archive, or during copying a framework or embedding pods.

Related openradar issue.

The mentioned solution seems to be working, our implementation: https://github.com/bitrise-io/steps-certificate-and-profile-installer/blob/master/main.go#L548

Log 1:

+----------------------+-------------------------+
|             �[32mSummary for gym 1.11.3�[0m             |
+----------------------+-------------------------+
| scheme               | [REDACTED]                 |
| configuration        | Alpha                   |
| use_legacy_build_api | true                    |
| export_method        | development             |
| workspace            | ./[REDACTED].xcworkspace   |
| destination          | generic/platform=iOS    |
| output_name          | [REDACTED]                 |
| clean                | false                   |
| output_directory     | .                       |
| silent               | false                   |
| buildlog_path        | ~/Library/Logs/gym      |
| xcode_path           | /Applications/Xcode.app |
+----------------------+-------------------------+

[07:58:19]: �[4m�[36m$ set -o pipefail && xcodebuild -workspace ./[REDACTED].xcworkspace -scheme [REDACTED] -configuration 'Alpha' -destination 'generic/platform=iOS' -archivePath /Users/vagrant/Library/Developer/Xcode/Archives/2016-11-03/[REDACTED]\ 2016-11-03\ 07.58.19.xcarchive archive | tee /Users/vagrant/Library/Logs/gym/[REDACTED]-[REDACTED].log | xcpretty�[0m�[0m
[07:58:24]: �[35m�[33m▸�[0m �[39;1mBuilding�[0m [REDACTED]/[REDACTED]-notification [(Release)]�[0m
[07:58:24]: �[35m�[33m▸�[0m �[39;1mCheck Dependencies�[0m�[0m
[07:58:24]: �[35m�[33m▸�[0m �[39;1mProcessing�[0m Info.plist�[0m
[07:58:24]: �[35m�[33m▸�[0m �[39;1mCompiling�[0m NotificationService.swift�[0m
[07:58:29]: �[35m�[33m▸�[0m �[39;1mCompiling�[0m NotificationService.swift�[0m
[07:58:37]: �[35m�[33m▸�[0m �[39;1mLinking�[0m [REDACTED]-notification�[0m
[07:58:38]: �[35m�[33m▸�[0m �[39;1mLinking�[0m [REDACTED]-notification�[0m
[07:58:43]: �[35m�[33m▸�[0m �[39;1mGenerating '[REDACTED]-notification.appex.dSYM'�[0m�[0m
[07:58:45]: �[35m�[33m▸�[0m �[39;1mTouching�[0m [REDACTED]-notification.appex�[0m
[07:58:45]: �[35m�[33m▸�[0m �[39;1mSigning�[0m /Users/vagrant/Library/Developer/Xcode/DerivedData/[REDACTED]-euwzwswygybbklfshqvjvmmgzspa/Build/Intermediates/ArchiveIntermediates/[REDACTED]/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/[REDACTED]-notification.appex�[0m

hang on this line...

Log 2:

+----------------------+-------------------------+ 
| Summary for gym 1.11.3 | 
+----------------------+-------------------------+ 
| scheme | Palace | 
| configuration | Adhoc | 
| use_legacy_build_api | true | 
| export_method | ad-hoc | 
| project | ./[REDACTED].xcodeproj | 
| destination | generic/platform=iOS | 
| output_name | [REDACTED] | 
| clean | false | 
| output_directory | . | 
| silent | false | 
| buildlog_path | ~/Library/Logs/gym | 
| xcode_path | /Applications/Xcode.app | 
+----------------------+-------------------------+

[12:13:35]: $ set -o pipefail && xcodebuild -scheme [REDACTED] -project ./[REDACTED].xcodeproj -configuration 'Adhoc' -destination 'generic/platform=iOS' -archivePath /Users/vagrant/Library/Developer/Xcode/Archives/2016-11-03/[REDACTED]\ 2016-11-03\ 12.13.35.xcarchive archive | tee /Users/vagrant/Library/Logs/gym/[REDACTED]-[REDACTED].log | xcpretty 
[12:13:37]: ▸ Building [REDACTED]/[REDACTED] [Adhoc] 
[12:13:37]: ▸ Check Dependencies 
[12:14:36]: ▸ Compiling [REDACTED]_vers.c 
[12:14:37]: ▸ Compiling [REDACTED]_vers.c 
[12:14:37]: ▸ Linking [REDACTED] 
[12:14:39]: ▸ Linking [REDACTED] 
[12:14:39]: ▸ Compiling LaunchScreen.storyboard 
[12:14:45]: ▸ Processing Info.plist 
[12:14:45]: ▸ Generating '[REDACTED].app.dSYM' 
[12:14:45]: ▸ Running script 'Copy Frameworks'

hang on this line...

Log 3:

Compiling alot...

[20:42:44]: ▸ Compiling Main.storyboard
[20:42:50]: ▸ Processing Info.plist
[20:42:50]: ▸ Generating '[REDACTED].app.dSYM'
[20:42:50]: ▸ Running script 'Run Script'
[20:42:50]: ▸ Running script '[CP] Embed Pods Frameworks'

hang on this line...
@fastlane-bot

This comment has been minimized.

Show comment
Hide comment
@fastlane-bot

fastlane-bot Nov 4, 2016

It seems like this issue might be related to code signing 🚫

Have you seen our new Code Signing Troubleshooting Guide? It will help you resolve the most common code signing issues 👍

It seems like this issue might be related to code signing 🚫

Have you seen our new Code Signing Troubleshooting Guide? It will help you resolve the most common code signing issues 👍

@godrei

This comment has been minimized.

Show comment
Hide comment
@godrei

godrei Nov 4, 2016

All of these builds was working fine before sierra, all of these builds are failing on the same part of xcodebuild archive calls (when it uses codesign).

Based on the openradar issue i mentioned previously and on our tests, it seems without calling security set-key-partition-list ... you can not avoid to keychain prompt for permission (on sierra), even if you installed the certificate correctly and opened the keychain with security command calls.

Am i missing something?

godrei commented Nov 4, 2016

All of these builds was working fine before sierra, all of these builds are failing on the same part of xcodebuild archive calls (when it uses codesign).

Based on the openradar issue i mentioned previously and on our tests, it seems without calling security set-key-partition-list ... you can not avoid to keychain prompt for permission (on sierra), even if you installed the certificate correctly and opened the keychain with security command calls.

Am i missing something?

@kwoylie

This comment has been minimized.

Show comment
Hide comment
@kwoylie

kwoylie Nov 4, 2016

I'm getting a similar issue, and when I build on el capitan it works perfectly fine and doesn't have any issues with code signing and I was running the same iOS SDK (8.1) on both el capitan and sierra

kwoylie commented Nov 4, 2016

I'm getting a similar issue, and when I build on el capitan it works perfectly fine and doesn't have any issues with code signing and I was running the same iOS SDK (8.1) on both el capitan and sierra

@viktorbenei

This comment has been minimized.

Show comment
Hide comment
@viktorbenei

viktorbenei Nov 6, 2016

Practically this issue means that fastlane hangs at any point which requires code signing, on a clean macOS Sierra, in a non interactive environment (CI), because of the permission popup.

Practically this issue means that fastlane hangs at any point which requires code signing, on a clean macOS Sierra, in a non interactive environment (CI), because of the permission popup.

@KrauseFx

This comment has been minimized.

Show comment
Hide comment
@KrauseFx

KrauseFx Nov 7, 2016

Member

Is this something that was recently introduce by fastlane? Did it work before?

Member

KrauseFx commented Nov 7, 2016

Is this something that was recently introduce by fastlane? Did it work before?

@viktorbenei

This comment has been minimized.

Show comment
Hide comment
@viktorbenei

viktorbenei Nov 7, 2016

This is a change in macOS Sierra - the same fastlane build works on El Capitan, but "hangs" on Sierra, waiting for the user to click the "Allow" popup for code signing. See the related radar: https://openradar.appspot.com/28524119

This is a change in macOS Sierra - the same fastlane build works on El Capitan, but "hangs" on Sierra, waiting for the user to click the "Allow" popup for code signing. See the related radar: https://openradar.appspot.com/28524119

@viktorbenei

This comment has been minimized.

Show comment
Hide comment
@viktorbenei

viktorbenei Nov 7, 2016

To highlight, the solution we found is to do this: https://github.com/bitrise-io/steps-certificate-and-profile-installer/blob/master/main.go#L569 - "security", "set-key-partition-list", "-S", "apple-tool:,apple:", "-k", configs.KeychainPassword, configs.KeychainPath, after "security", "import", cert, "-k", configs.KeychainPath, "-P", pass, "-A"

Have to be done only on Sierra, this command would fail on El Capitan.

To highlight, the solution we found is to do this: https://github.com/bitrise-io/steps-certificate-and-profile-installer/blob/master/main.go#L569 - "security", "set-key-partition-list", "-S", "apple-tool:,apple:", "-k", configs.KeychainPassword, configs.KeychainPath, after "security", "import", cert, "-k", configs.KeychainPath, "-P", pass, "-A"

Have to be done only on Sierra, this command would fail on El Capitan.

@godrei godrei added the type: bug label Nov 7, 2016

@TKBurner TKBurner added the tool: gym label Nov 8, 2016

@TKBurner

This comment has been minimized.

Show comment
Hide comment
@TKBurner

TKBurner Nov 8, 2016

@viktorbenei Thanks for working with us on this. I've circled back with the core team to see what we can do to improve this 👍

TKBurner commented Nov 8, 2016

@viktorbenei Thanks for working with us on this. I've circled back with the core team to see what we can do to improve this 👍

@viktorbenei

This comment has been minimized.

Show comment
Hide comment
@viktorbenei

viktorbenei Nov 8, 2016

Thanks @TKBurner , let us know if we can help with anything else!

Thanks @TKBurner , let us know if we can help with anything else!

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Nov 8, 2016

Member

I'll investigate possible fixes now, expect a PR soon 👍

Member

milch commented Nov 8, 2016

I'll investigate possible fixes now, expect a PR soon 👍

@viktorbenei

This comment has been minimized.

Show comment
Hide comment
@viktorbenei

viktorbenei Nov 8, 2016

Awesome news, thank you @milch !

Awesome news, thank you @milch !

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Nov 9, 2016

Member

This is now done, once the PRs are merged we'll release versions of the fastlane tools where this is fixed 🚀

Member

milch commented Nov 9, 2016

This is now done, once the PRs are merged we'll release versions of the fastlane tools where this is fixed 🚀

@viktorbenei

This comment has been minimized.

Show comment
Hide comment
@viktorbenei

viktorbenei Nov 9, 2016

Awesome news, thank you! 🎉

Awesome news, thank you! 🎉

@KrauseFx

This comment has been minimized.

Show comment
Hide comment
@KrauseFx

KrauseFx Nov 10, 2016

Member

Thanks @viktorbenei and @godrei for providing all this information, it was super helpful 👍

Member

KrauseFx commented Nov 10, 2016

Thanks @viktorbenei and @godrei for providing all this information, it was super helpful 👍

@kylejm

This comment has been minimized.

Show comment
Hide comment
@kylejm

kylejm Nov 13, 2016

Contributor

Hey all, thanks for the hard work on this!

I'm still experiencing this problem after upgrading gym to 1.12.0 and match to 0.11.0.

My logs are basically the same as Log 2 and Log 3 above. Running on Bitrise with Xcode 8.1 on macOS 10.12 (Sierra). I've tested creating and installing certs on local with match 0.11.0 but the pop up still appears when gym 1.12.0 come to sign.

Anything I could be missing or not updated? All the rest of our fastlane gems are up to date too.

Contributor

kylejm commented Nov 13, 2016

Hey all, thanks for the hard work on this!

I'm still experiencing this problem after upgrading gym to 1.12.0 and match to 0.11.0.

My logs are basically the same as Log 2 and Log 3 above. Running on Bitrise with Xcode 8.1 on macOS 10.12 (Sierra). I've tested creating and installing certs on local with match 0.11.0 but the pop up still appears when gym 1.12.0 come to sign.

Anything I could be missing or not updated? All the rest of our fastlane gems are up to date too.

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Nov 13, 2016

Member

What's your fastlane_core version?

Also match needs to have re-downloaded the certificates at least once for it to work, so try removing the certs manually and re-running match

Member

milch commented Nov 13, 2016

What's your fastlane_core version?

Also match needs to have re-downloaded the certificates at least once for it to work, so try removing the certs manually and re-running match

@kylejm

This comment has been minimized.

Show comment
Hide comment
@kylejm

kylejm Nov 14, 2016

Contributor

fastlane_core is at 0.55.0.

I'm running on CI and the certs are re-downloaded by match on every build.

Contributor

kylejm commented Nov 14, 2016

fastlane_core is at 0.55.0.

I'm running on CI and the certs are re-downloaded by match on every build.

@kylejm

This comment has been minimized.

Show comment
Hide comment
@kylejm

kylejm Nov 14, 2016

Contributor

Can this one be re-opened please? It's quite a blocker for us, stopping any submissions on CI via fastlane. 😢

Contributor

kylejm commented Nov 14, 2016

Can this one be re-opened please? It's quite a blocker for us, stopping any submissions on CI via fastlane. 😢

@TKBurner TKBurner reopened this Nov 14, 2016

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Nov 14, 2016

Member

Did you provide the keychain_password param to match?

Member

milch commented Nov 14, 2016

Did you provide the keychain_password param to match?

@kylejm

This comment has been minimized.

Show comment
Hide comment
@kylejm

kylejm Nov 14, 2016

Contributor

No, but I didn't think you'd have to if the item was added by match? I don't know what the password would be for keychain on our CI if I were to have to do this. Maybe @godrei or @viktorbenei can advise if it comes to that.

Contributor

kylejm commented Nov 14, 2016

No, but I didn't think you'd have to if the item was added by match? I don't know what the password would be for keychain on our CI if I were to have to do this. Maybe @godrei or @viktorbenei can advise if it comes to that.

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Nov 14, 2016

Member

@kylejm The keychain password is (unfortunately) required by the set-key-partition-list command, even if the keychain is already unlocked. Usually for the (default) login keychain the password is the user's account password.

As a workaround, you could create a temporary keychain with a known password and use that to import your certificates. The only thing you'd have to take care of is creating the keychain and pointing match to your keychain with the keychain_name param (and also setting keychain_password, of course).

Member

milch commented Nov 14, 2016

@kylejm The keychain password is (unfortunately) required by the set-key-partition-list command, even if the keychain is already unlocked. Usually for the (default) login keychain the password is the user's account password.

As a workaround, you could create a temporary keychain with a known password and use that to import your certificates. The only thing you'd have to take care of is creating the keychain and pointing match to your keychain with the keychain_name param (and also setting keychain_password, of course).

@mono0926

This comment has been minimized.

Show comment
Hide comment
@mono0926

mono0926 Nov 15, 2016

@milch

Thanks, the problem has been resolved 👍
I was troubled with hangs as well as @kylejm, but it works well again now 🎉

Bitrise:

Define MATCH_KEYCHAIN_NAME and MATCH_KEYCHAIN_PASSWORD.

screen shot 2016-11-15 at 8 26 51

fastlane:

Define this and call it before match

private_lane :create_temporary_keychain do
    create_keychain(
      name: ENV["MATCH_KEYCHAIN_NAME"], 
      password: ENV["MATCH_KEYCHAIN_PASSWORD"],
      timeout: 1200
      )
end

mono0926 commented Nov 15, 2016

@milch

Thanks, the problem has been resolved 👍
I was troubled with hangs as well as @kylejm, but it works well again now 🎉

Bitrise:

Define MATCH_KEYCHAIN_NAME and MATCH_KEYCHAIN_PASSWORD.

screen shot 2016-11-15 at 8 26 51

fastlane:

Define this and call it before match

private_lane :create_temporary_keychain do
    create_keychain(
      name: ENV["MATCH_KEYCHAIN_NAME"], 
      password: ENV["MATCH_KEYCHAIN_PASSWORD"],
      timeout: 1200
      )
end
@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Nov 15, 2016

Member

@mono0926 Thanks for posting your solution!

@kylejm Let me know if that resolves it!

Member

milch commented Nov 15, 2016

@mono0926 Thanks for posting your solution!

@kylejm Let me know if that resolves it!

@vincentsaluzzo

This comment has been minimized.

Show comment
Hide comment
@vincentsaluzzo

vincentsaluzzo Nov 15, 2016

Hello there,

I've trying all your solution but nothing works for me.
My build on bitrise still block when running carthage copy-frameworks command in run script phase.
The fix was release in the fast lane 1.108 tool suite ?

Hello there,

I've trying all your solution but nothing works for me.
My build on bitrise still block when running carthage copy-frameworks command in run script phase.
The fix was release in the fast lane 1.108 tool suite ?

@vincentsaluzzo

This comment has been minimized.

Show comment
Hide comment
@vincentsaluzzo

vincentsaluzzo Nov 15, 2016

Mmmh I write a bad character in bitrise environment variable sorry.

Mmmh I write a bad character in bitrise environment variable sorry.

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Nov 15, 2016

Member

@vincentsaluzzo So is it working for you now?

Member

milch commented Nov 15, 2016

@vincentsaluzzo So is it working for you now?

@kylejm

This comment has been minimized.

Show comment
Hide comment
@kylejm

kylejm Nov 15, 2016

Contributor

I'm not quite sure why this solution of creating a new keychain needs to used when @viktorbenei gives a solution that works without needing to do so. @milch could you clarify that for me, I think I'm missing something. :)

I'll try the solution given by @mono0926.

Contributor

kylejm commented Nov 15, 2016

I'm not quite sure why this solution of creating a new keychain needs to used when @viktorbenei gives a solution that works without needing to do so. @milch could you clarify that for me, I think I'm missing something. :)

I'll try the solution given by @mono0926.

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Nov 15, 2016

Member

@kylejm I'm guessing that since @viktorbenei is a cofounder of bitrise.io and posted code taken from the bitrise source, they can read the keychain password for the login keychain from their configuration.

Member

milch commented Nov 15, 2016

@kylejm I'm guessing that since @viktorbenei is a cofounder of bitrise.io and posted code taken from the bitrise source, they can read the keychain password for the login keychain from their configuration.

@viktorbenei

This comment has been minimized.

Show comment
Hide comment
@viktorbenei

viktorbenei Nov 15, 2016

For reference, the login keychain password is vagrant, which can also be retrieved from the $BITRISE_KEYCHAIN_PASSWORD env var - you can use this env var as the match keychain password.

For reference, the login keychain password is vagrant, which can also be retrieved from the $BITRISE_KEYCHAIN_PASSWORD env var - you can use this env var as the match keychain password.

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Nov 15, 2016

Member

Ah, thanks @viktorbenei! I'll close this, then.

Member

milch commented Nov 15, 2016

Ah, thanks @viktorbenei! I'll close this, then.

@milch milch closed this Nov 15, 2016

viktorbenei added a commit to bitrise-io/osx-box-bootstrap that referenced this issue Nov 17, 2016

v2016_11_17_1
* `MATCH_KEYCHAIN_PASSWORD` env var defined, to fix the `fastlane` macOS Sierra keychain handling issue (fastlane/fastlane#6866)
* Xamarin only: removed `sys-img-armeabi-v7a-android-23`, the package is no longer available in `android update sdk`
* Xamarin only: `ANDROID_NDK_HOME` env var is now defined
@Sega-Zero

This comment has been minimized.

Show comment
Hide comment
@Sega-Zero

Sega-Zero Dec 5, 2016

@KrauseFx if I have only KEYCHAIN_NAME specified, shouldn't match read it if MATCH_KEYCHAIN_NAME is not specified?
Just faced this trouble on Travis CI, see Travis CI issue. Shouldn't match call this itself, instead of making such a workarounds?

@KrauseFx if I have only KEYCHAIN_NAME specified, shouldn't match read it if MATCH_KEYCHAIN_NAME is not specified?
Just faced this trouble on Travis CI, see Travis CI issue. Shouldn't match call this itself, instead of making such a workarounds?

@viktorbenei

This comment has been minimized.

Show comment
Hide comment
@viktorbenei

viktorbenei Dec 5, 2016

An update from bitrise.io side - the MATCH_KEYCHAIN_PASSWORD env var is now defined on all macOS VMs by default, to the same value as BITRISE_KEYCHAIN_PASSWORD (see #6866 (comment) ).

An update from bitrise.io side - the MATCH_KEYCHAIN_PASSWORD env var is now defined on all macOS VMs by default, to the same value as BITRISE_KEYCHAIN_PASSWORD (see #6866 (comment) ).

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Dec 5, 2016

Member

@Sega-Zero We usually only use the prefixed versions of environment variables, to avoid clashes with other tools and unintended side effects. Sometimes non-prefixed versions are available though for compatibility reasons, but there are currently efforts underway to remove those: #6659

If you want to use both, it's best if you just do ENV["MATCH_KEYCHAIN_NAME"] = ENV["KEYCHAIN_NAME"] at the beginning of your Fastfile.

Member

milch commented Dec 5, 2016

@Sega-Zero We usually only use the prefixed versions of environment variables, to avoid clashes with other tools and unintended side effects. Sometimes non-prefixed versions are available though for compatibility reasons, but there are currently efforts underway to remove those: #6659

If you want to use both, it's best if you just do ENV["MATCH_KEYCHAIN_NAME"] = ENV["KEYCHAIN_NAME"] at the beginning of your Fastfile.

@guidomb

This comment has been minimized.

Show comment
Hide comment
@guidomb

guidomb Feb 6, 2017

Contributor

I experienced the same issue. Copy frameworks hangs (both in travisci and bitrise). In my case I was creating a new keychain in a before hook. That was working fine before migrating to Xcode 8. Any idea what could be the problem? I fixed the problem by using the default keychain provided by bitrise but I would like to create / destroy a new keychain. Is it possible?

Here is an example of how I was creating / destroying the keychain

before_all do |lane|
    create_keychain(
      name: 'syrmo_keychain',
      default_keychain: true,
      unlock: true,
      timeout: 3600,
      lock_when_sleeps: true,
      password: SecureRandom.base64
    )
end

error do |lane, exception|
  delete_keychain(name: 'syrmo_keychain')
end

after_all do |lane|
  delete_keychain(name: 'syrmo_keychain')
end

Is there a way to tell gym which keychain to use?

Contributor

guidomb commented Feb 6, 2017

I experienced the same issue. Copy frameworks hangs (both in travisci and bitrise). In my case I was creating a new keychain in a before hook. That was working fine before migrating to Xcode 8. Any idea what could be the problem? I fixed the problem by using the default keychain provided by bitrise but I would like to create / destroy a new keychain. Is it possible?

Here is an example of how I was creating / destroying the keychain

before_all do |lane|
    create_keychain(
      name: 'syrmo_keychain',
      default_keychain: true,
      unlock: true,
      timeout: 3600,
      lock_when_sleeps: true,
      password: SecureRandom.base64
    )
end

error do |lane, exception|
  delete_keychain(name: 'syrmo_keychain')
end

after_all do |lane|
  delete_keychain(name: 'syrmo_keychain')
end

Is there a way to tell gym which keychain to use?

@milch

This comment has been minimized.

Show comment
Hide comment
@milch

milch Feb 6, 2017

Member

@guidomb Which version of fastlane/gym are you using?

Member

milch commented Feb 6, 2017

@guidomb Which version of fastlane/gym are you using?

@guidomb

This comment has been minimized.

Show comment
Hide comment
@guidomb

guidomb Feb 6, 2017

Contributor

@milch 2.14.2

Contributor

guidomb commented Feb 6, 2017

@milch 2.14.2

@hborders

This comment has been minimized.

Show comment
Hide comment
@hborders

hborders Mar 24, 2017

Sorry for invading this issue, but this seems to be the only recent discussion I can find about key-partition-lists.

Is there any special requirements for getting #6866 (comment) to work?

I'm trying to stop security prompts when signing for a certificate I'm importing outside of fastlane (because I have a separate secrets data store I have to use).

Basically, I import the key into the login keychain the normal way:

security import "${PEM_FILE}" -k ~/Library/Keychains/login.keychain -T /usr/bin/codesign -T /usr/bin/security

And then of course if I try to codesign something, I get prompted:

codesign --force --sign "${IDENTITY_HASH} `mktemp`

So, I tried setting the key partition list, but I just get a big dump of my keychain, and no affect if I try to run codesign again.

security set-key-partition-list -S apple-tool:,apple: -k "${PASSWORD}" ~/Library/Keychains/login.keychain

Sorry for invading this issue, but this seems to be the only recent discussion I can find about key-partition-lists.

Is there any special requirements for getting #6866 (comment) to work?

I'm trying to stop security prompts when signing for a certificate I'm importing outside of fastlane (because I have a separate secrets data store I have to use).

Basically, I import the key into the login keychain the normal way:

security import "${PEM_FILE}" -k ~/Library/Keychains/login.keychain -T /usr/bin/codesign -T /usr/bin/security

And then of course if I try to codesign something, I get prompted:

codesign --force --sign "${IDENTITY_HASH} `mktemp`

So, I tried setting the key partition list, but I just get a big dump of my keychain, and no affect if I try to run codesign again.

security set-key-partition-list -S apple-tool:,apple: -k "${PASSWORD}" ~/Library/Keychains/login.keychain
@hborders

This comment has been minimized.

Show comment
Hide comment
@hborders

hborders Mar 24, 2017

I figured out my problem. In my import command, I didn't supply a password. You must supply a password when importing or set-key-partition-list doesn't work. I outlined my problem on stackoverflow. Sorry again for the invasion. Thanks for a great product!

I figured out my problem. In my import command, I didn't supply a password. You must supply a password when importing or set-key-partition-list doesn't work. I outlined my problem on stackoverflow. Sorry again for the invasion. Thanks for a great product!

@fastlane fastlane locked and limited conversation to collaborators Jun 22, 2017

@fastlane fastlane unlocked this conversation Apr 10, 2018

@fastlane fastlane locked and limited conversation to collaborators Jun 9, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.