0

We're using the codesign command on macOS for a CI system:

codesign -v -f -s "identity" "file" --keychain "keychain_path"

The keychain is created on the fly and contains a private key and a certificate.

This used to work great, but starting with macOS Sierra (10.12), codesign does not include the custom keychain in its keychain search list anymore when looking up the certificate (accessing the private key works though).

Manually adding the keychain to the search list helps (at least as a common user):

security list-keychains -s "previous_keychain_path" "custom_keychain_path"

(where the previous search list has been fetched with "security list-keychains" first)

But this command is ignored when running apache/httpd as a _www or daemon user.

  • What kind of permission is required for _www to modify the keychain search list temporarily?
  • Is there another way of making codesign support the --keychain option as it did before Sierra?
neatchuck
  • 731
  • 4
  • 14

1 Answers1

1

I suppose your CI system is launched by LaunchDaemon.

You have to add 

<key>SessionCreate</key>
<true/>

to LaunchDaemon <yourCIsystem>.plist file.

This modification allows CI system to modify the keychain search list.

Jiri Tulach
  • 36
  • 2
  • While this code may answer the question, providing additional context regarding how and/or why it solves the problem would improve the answer's long-term value.[Read this](https://stackoverflow.com/help/how-to-answer). – Shanteshwar Inde Jan 30 '19 at 07:35
  • Sorry, this is the best answer I can provide. I'm not an MacOS expert. The problem is the very few or no answers are available about this topic. I think some answer is better than nothing. – Jiri Tulach Feb 04 '19 at 20:40
  • Thank you, this is great input! It's not solving the problem in the way I was thinking, but it's a very valuable hint. – neatchuck Jul 11 '19 at 19:56