We're using the codesign command on macOS for a CI system:
codesign -v -f -s "identity" "file" --keychain "keychain_path"
The keychain is created on the fly and contains a private key and a certificate.
This used to work great, but starting with macOS Sierra (10.12), codesign does not include the custom keychain in its keychain search list anymore when looking up the certificate (accessing the private key works though).
Manually adding the keychain to the search list helps (at least as a common user):
security list-keychains -s "previous_keychain_path" "custom_keychain_path"
(where the previous search list has been fetched with "security list-keychains" first)
But this command is ignored when running apache/httpd as a _www or daemon user.
- What kind of permission is required for _www to modify the keychain search list temporarily?
- Is there another way of making codesign support the --keychain option as it did before Sierra?