OS X 3.2.1 CI "pending integration" - ios

Over the past few days, I've been working on getting CI working with an external mac mini running OS X Server. However, I have been having many problems with OS X Server 3.2.1 and XCode 6.1b3.
It looks like Apple fixed an issue in Xcode 6.1b3 which didn't put the correct provisioning profiles into Portal.keychain. However, my integrations aren't even running now.
After running a clean OS X build, XCode server won't integrate. I succesfully connected to the server and created a bot. If I visit "SERVER.local" on my development machine, I see the bot that I created.
Everything is set up properly (including the integrate immediately checkbox), however my integrations sit in the "pending" state. I checked the system.log, and nothing seems to be happening.
This could be completely unrelated, but every time I click on a pending integration, I receive this error in system.log:
NSFileCoordinator only handles URLs that use the file: scheme. This one does not:
x-code-xcsbot://XXX
I'm not sure if this is a new problem introduced in OS X server 3.2.1, or if it's just a set up issue. Apparently no one else has had this issue, couldn't find anything on Google/ SO.

This is still happening, but if you just want to nudge the server to wake up and run and aren't prepared to delete your x-code server configuration (provisioningProfiles, credentials and bots are deleted (as I recall)), simply run this terminal command
sudo -u _xcsbuildd /Applications/Xcode.app/Contents/Developer/usr/bin/xcsbuildd
Note that if you have multiple revs of Xcode in your Applications folder you may have named them differently, so the command may be slightly different. In my case, I've got a file named 'Xcode 6.1.1'. So the command would be
sudo -u _xcsbuildd /Applications/Xcode\ 6.1.1.app/Contents/Developer/usr/bin/xcsbuildd

This appears to happen when running XCode beta builds in OS X Server.
Note that this command will ❗️delete all your bots❗️
Run sudo xcrun xcscontrol --reset to reset.
https://devforums.apple.com/message/1051403#1051403

Here's a solution that may fix the problem without requiring to reset Xcode Server.
What's the problem?
First, check whether this answer applies by inspecting the xcsnginx.log log file:
sudo tail /Library/Developer/XcodeServer/Logs/xcsnginx.log
Search for the following line at the end of the log:
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/Library/Developer/XcodeServer/Certificates/xcsnginx.key") failed (SSL: error:0906A068:PEM routines:PEM_do_header:bad password read error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
I you don't see that entry in the log, I'm afraid this answer won't help you. If you do see that entry, you may continue.
Why does it happen?
Xcode Server internally runs an Nginx web server (on port 20543) named xcsnginx that acts as a proxy between some services. This server uses a TLS/SSL certificate to ensure communications remain secure. The involved files are the following:
xcsnginx.crt: contains the PEM certificate.
xcsnginx.key: contains the private key for the certificate.
xcsnginx.pass: contains the passphrase for the private key.
As far as I understand, the private key is stored unencrypted, which means the xcsnginx.pass should be empty (and seems to be reset every time Xcode Server starts).
However for some reason, as some point, the private key in xcsnginx.key was exported as an encrypted key. I've no idea how and why this could happen but it did happen on my server so I'll assume it may happen on your server too. The consequence is that xcsnginx cannot load the certificate and fails to launch.
You can verify that xcsnginx is not running by executing:
pgrep xcsnginx || echo "Not running"
How to fix it?
Rather than resetting Xcode Server from scratch, we can:
export the identity again from the xcsnginx.keychain keychain or
restore the previous certificate and key or
create a new certificate and key for xcsnginx.
So let's have a look at each option.
Option 1
Copies of the certificate and private key are stored in the xcsnginx.keychain keychain located in /Library/Developer/XcodeServer/Keychains. This keychain is protected by a passphrase stored in a file named XCSNginxKeychainSharedSecret in the /Library/Developer/XcodeServer/SharedSecrets folder.
If you're familiar with OS X keychains, you may retrieve the certificate and the key from the keychain.
However manipulating keychains using the command-line is a real nightmare so I'll let this as an exercise for the reader (or an editor).
Option 2
The /Library/Developer/XcodeServer/Certificates folder may contains a backup of your certificate and key. Let's find out:
sudo find /Library/Developer/XcodeServer/Certificates -name "*.original"
If you're lucky, you should get the following result:
/Library/Developer/XcodeServer/Certificates/xcsnginx.crt.original
/Library/Developer/XcodeServer/Certificates/xcsnginx.key.original
/Library/Developer/XcodeServer/Certificates/xcsnginx.pass.original
Which mean you can restore the original files:
sudo cp /Library/Developer/XcodeServer/Certificates/xcsnginx.crt.original /Library/Developer/XcodeServer/Certificates/xcsnginx.crt
sudo cp /Library/Developer/XcodeServer/Certificates/xcsnginx.key.original /Library/Developer/XcodeServer/Certificates/xcsnginx.key
sudo cp /Library/Developer/XcodeServer/Certificates/xcsnginx.pass.original /Library/Developer/XcodeServer/Certificates/xcsnginx.pass
Option 3
If you cannot restore the previous certificate and keychains, you may decide to just generate new ones like this:
sudo openssl req -new -x509 -newkey rsa:2048 -nodes -out /Library/Developer/XcodeServer/Certificates/xcsnginx.crt -keyout /Library/Developer/XcodeServer/Certificates/xcsnginx.key -subj /CN=your-server.example.com -days 1000 -batch
where your-server.example.com is replaced with the DNS address of your server. Ideally the certificate should be issued by the Xcode Server Root Certificate Authority but using a single-signed certificate doesn't seem to be a problem (as far as I now / for the moment / your mileage may vary).
Finally
Now we just have to wait until the system starts xcsnginx again. That should happen automatically after a minute or less. You can verify that xcsnginx did start with:
pgrep xcsnginx || echo "Not running"

You can use restart instead of reset from the command line to restart the server. This will terminate the bot you are running that has frozen up.
sudo xcrun xcscontrol --restart

I've run into this several times. I've done the xcrun xcscontrol --reset and it does work, but I'm getting tired of that. As my bots get more complicated with pre/post integration triggers I don't want to set them up again.
What worked for me this time was just going through all mostly recent integrations and deleting any canceled ones. Cancelling a bot run can leave it in an odd state.
After I deleted a bunch of integrations I restarted the machine the server is running on and my integrations start working again!
Hope that helps someone.

Related

Allow certain apps to access the keychain using command line

I am trying to automate a cert installation on a bunch of different Mac boxes so that I can build on any of them using Jenkins. I've seen that you can do an import:
sudo security import certName -P password
And you can also allow applications to use the keychain at installation time:
sudo security import certName -P password -T /usr/bin/codesign
But is there a way to modify existing installations from the command line so I don't have to reimport all the certs that I have imported already? Or is it okay to just reimport everything by running the second command on all the boxes, and it will just update the existing cert installation?
Basically, the overall problem I'd like to solve is to prevent the prompts asking for passwords every time I run a build that say "codesign would like to access the keychain", etc. And then I have to enter the password and click "Always Allow" to prevent it again. But every time I update the cert, I have to go through this process again.
Has anyone ever automated this entire process before? Installing the cert and allowing apps to access the keychain without prompting for a password.
I'd also be happy with allowing any applications to access the keychain without a password. I'm not sure if a flag like that even exists, but it would be a big help if this was possible.
It seems that these three lines were what I needed (answer found here: security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission):
security unlock-keychain -p password kaychainName.keychain
security set-keychain-settings keychainName.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password keychainName.keychain

Unable to unlock the keychain

Building a new Jenkins for an iOS app CI story.
I created a keychain named build in KeyChainAccess to hold the dev certificate.
I set a password for the keychain.
On Jenkins, Manage Jenkins --> Keychains and Provisioning Profiles Management -> choose the build.keychain file and upload.
I filled in the password (the same as what I set earlier). I filled in the certificate (by copy the common name of the certificate info in KeyChain access).
I created a Jenkins job using the Keychain and Code Signing Identity, filled in the password.
But when I build the project by Jenkins, it throw the following error in Console Output:
[ProjectName] $ /usr/bin/security unlock-keychain -p ******** /Users/Shared/Jenkins/Home/jobs/JobName/workspace/build.keychain
security: SecKeychainUnlock /Users/Shared/Jenkins/Home/jobs/JobName/workspace/build.keychain: The user name or passphrase you entered is not correct.
FATAL: Unable to unlock the keychain.
I checked the password, I can unlock the build keychain in KeyChain Access using the password. I am not sure what username it asks for, Jenkins?
It's been a long time since you asked this question but I think it's worth it to answer it!
The output error The username or passphrase you entered is not correct. can be caused by several things but one of the common errors is a wrong keychain path.
To solve it the first thing you need to be sure is that your keychain was created and get its correct path. Run the following command in your console:
security list-keychains
The output should return all the keychains you have, something like this:
"/Users/jenkins/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"
If your build keychain is not there something were wrong during its creation and you need to create it again. In case you keychain is the above list you need to copy the path where the keychain is located.
If for some reason the name of your keychain is duplicated in that list be sure to remove the duplicated keychains running the following command:
security list-keychains -s pathOfTheKeychainDuplicated
Then with the path and the password of the user with access to this keychain you can unlock it using the following command:
security unlock-keychain -p ****** /Users/jenkins/Library/Keychains/login.keychain-db
In the above command, the path should be the one of your build keychain
I hope this helps you.
In my Mac, got a similar issue for unlock keychain command command.
I have just quit the terminal(all tabs)
Quit the keychain
Reopened the keychain -> unlocked and locked the keychains couple of times manually.
Then I executed the command, it worked! Surprising..
One more hint, got this issue after upgrading macOS from Sierra to High Sierra.
I had a similar problem running unlock-keychain from jenkins after upgrading to Mojave.
It was caused by the default keychain being set incorrectly.
I used
security default-keychain -s <name> to change the default back to the jenkins user's login keychain.

Jenkins iOS build using credentials and developer profile

We are using Jenkins as our CI server for our iOS team with the following setup:
Master server on OSX, not running any job
2 slaves on OSX running our integration jobs + UI Testing
Currently all signing identities and provisioning profiles for the apps are uploaded each slave which makes the administration a tad tedious and adding a new node to the cluster even more painful.
To work around this we've looked into using the credentials plugin with Developer profiles and import the profile as the first build step on all iOS jobs but are faced with to main issues:
The import developer profile seems to work the first time (at least for creating the keychain entries) but the job fails with a "no matching provisioning profile" error, even if the developer profile contains all the provisioning profiles required by the target.
Second run on the same job always fail with a "Keychain already exist" error
We've tried some work arounds for the second issue adding a shell build step removing the particular keychain but are still faced with the first error. If we manually install the profile on the slave the build passes but this defeat the purpose of using the credentials plugin.
What do you guys think?
I think the newest version of the credentials plugin now first removes any existing keychains with a matching name before importing, as seen in the log output below.
$ security delete-keychain jenkins-MyAppsBuildName-iOS
$ security create-keychain -p ******** jenkins-MyAppsBuildName-iOS
$ security unlock-keychain -p ******** jenkins-MyAppsBuildName-iOS
Because of this fact, I don't think you will have an issue anymore with duplicate keychain errors on the second run.
As far as the issue relating to the provisioning profile not being found, add the following line inside the execute shell command and run a build on jenkins.
security list-keychains
Take a look at the console for that specific build and you should see a list of all the keychains that are currently in the scope of the shell.
If you do not see "jenkins-MyAppsBuildName-iOS" as a listed keychain, this is why you are having the signing issue. Because the keychain is not listed, it is never even being searched through to find the proper signing identity/profile.
Solution: Warning: it's hacky
I'm not 100% sure why this is happening, but from other threads it appears to be a permissions issue.
Luckily there is an easy way around this.
In the execute shell command add the following:
security list-keychain -s jenkins-${JOB_NAME}
This will reset the keychain list to include the keychain needed to successfully build the project.
To verify that this now lists the proper keychain, you can add the following lines to the shell command:
security list-keychain
security list-keychain -s jenkins-${JOB_NAME}
security list-keychain
Now compare the output of the first list-keychain command with the second list-keychain command in the console. Make sure that the jenkin's build keychain is listed after the second security list-keychain output.
Warning: This will permanently change the keychain list on the system, so it is probably a good idea to reset the keychain after the build completes. You can accomplish this by settings the default desired keychain values in the xcode configuration inside of Jenkin's System Configuration section. After doing so, make sure to tick the check box "Restore OS X keychains after build process as defined in global configuration" under build environment inside of the Jenkins job's page.
Additional info: In my example I set the keychain-list to only include the keychain generated from Jenkins, but you may decide to also include the standard system and login keychain's by modifying the line as such:
security list-keychain -s jenkins-${JOB_NAME} login.keychain System.keychain
Keywords: Jenkins, iOS, slave, node, Xcode, plugin, credentials, .developerprofile

Can I install an x64 driver with a test certificate WITHOUT disabling the driver signature?

I'm developing a virtual driver and QA needs to check out the x64 version on several Windows 7 machines. I have strictly followed the instructions on generating a certificate for test purposes, but I still have some problems. So, I've done the following steps:
Makecert -r -pe -n "CN=TestCertForWDK" -ss "TestCert" mccert.cer
I've added the following two lines in the installer to make auto certificate installation on the remote machines
certmgr.exe -add mccert.cer -s -r localMachine root
certmgr.exe -add mccert.cer -s -r localMachine trustedpublisher
And
Inf2cat.exe /driver:D:\Projects\MyDrv\package\ /os:7_X64
And finally
signtool sign /a /v /s "TestCert" /n "TestCertForWDK" mydrv.cat
signtool sign /a /v /s "TestCert" /n "TestCertForWDK" mydrv.sys
BTW, at first I've tried installing via devcon. It reported that "devcon succeeded", but the device in Device Manager was marked with yellow exclamation mark (not trusted signature).
Later, I've tried using hdwwiz - when I manually enter the path to driver (Have disk) - hdwwiz shows that driver has a signature and installation proceeds without any warnings. But after that, as I've already metioned, the device is not working because of invalid signature (yellow "!")
I have an account on Winqual, but the driver is still in development state, and I don't want to pay money for submission yet. Am I doing something wrong? Is it possible to install a x64 driver with my own makecert.exe-generated certificate and without disabling a driver signature on the end-user PC (this is not acceptable for me)?
Unfortunately, you need to have it cross signed by Microsoft as well. See here for more details.
Even if you want to use your own test certificate, you need to make changes using the BCDEdit tool.
bcdedit.exe {boot-entry-guid} testsigning on
This will allow your test certificate to be used. This is the only way to use a test certificate.

Running xcodebuild from a forked terminal

I'm trying to setup an automated build server for an iPhone application. I'd like to be able to have nightly adhoc beta builds so that testers can follow the development.
I've setted up xcode successfully xcode to perform adhoc builds and I can also launch the build from the command line:
xcodebuild -configuration AdHoc -sdk iphoneos2.2 clean build
The problem I'm having is that the following line doesn't work from a forked terminal (using nohup or screen) and failed with the following
CodeSign error: Code Signing Identity 'iPhone Distribution: XXXXX' does not match any code-signing certificate in your keychain. Once added to the keychain, touch a file or clean the project to continue.
I've checked my environment variables in my shell and in nohup or screen and didn't found a clue.
I guess my problem is that the forked terminal can't access to the keychain but I have no clue on how to allow it.
Thanks for your help
I had te error User interaction is not allowed and solved it by unlocking the keychain first
security unlock-keychain /Users/yannooo/Library/Keychains/login.keychain
I've also tried to put my certs in the System's keychain and it was working.
My final solution was to put all my iPhone related certs in a dedicated keychain named iPhone.keychain using the Keychain Access application
security list-keychains -s /Users/yannooo/Library/Keychains/iPhone.keychain
security unlock-keychain -p keychainpassword /Users/yannooo/Library/Keychains/iPhone.keychain
There are two (possibly three!) components to this. One is the keychain must be unlocked. Second, there is an access control list inside the keychain that tells which permissions are given to applications in the unlocked state. So even if you have the keychain successfully unlocked, if the ability to access the private key and sign with it isn't given to /usr/bin/codesign then you will still get this message. Finally, if you are on Mac OS Sierra, the default partition ID assigned to keys is incorrect in order to be compatible with the codesign binary.
The solution is as follows:
1) If you have access to the Keychain Access GUI, then you can manually grant every program or /usr/bin/codesign access by right clicking on your private key, selecting the "Access Control" tab and then selecting the "Allow all applications to access this item" radio or the list of "Always allow access by these applications" list.
2) If you are encountering this error, chances are you are trying to run codesign for a non-login user. In this case, you clearly don't have access to the "Keychain Access" GUI. For these cases, you verify the sign authorization missing for application <null>, which apparently means all applications, or specifically /usr/bin/codesign by using:
security dump-keychain -i login.keychain
However, you cannot add or modify access control attributes in interactive mode for some reason --only delete! You actually have to manually delete the key and re-add it to the keychain specifying the -T flag.
security import login.keychain -P "<password>" -T /usr/bin/codesign
Where -T specifies
-T Specify an application which may access the imported key (multiple -T options are allowed)
3) If you are on Mac OS Sierra, modify the partition ID to include the apple partition. Presumably, this is the namespace assigned to codesign because it was distributed by Apple.
security set-key-partition-list -S apple-tool:,apple: -k "<password>" login.keychain
NOTE: The apple-tool partition is inserted by the security tool, so the command above preserves that partition. For more information on this aspect, see: http://www.openradar.me/28524119
Another solution :
Open the Keychain Access
Right click on the private key
Select "Get Info"
Select "Access Control" tab
Click "Allow all applications to access this item"
Click "Save Changes"
Enter your password
Enjoy
Could you use security list-keychains -s ${HOME}/Library/Keychains/login.keychain inside the build process to explicitly add your login keychain to the search list? It seems like from the forked Terminal, the build process doesn't see your user keychain. That could make sense if the keychain search list is based on your current security session - a forked terminal session would leave the login session just as if you ssh over the loopback connection.
update for people running into similar issues with Jenkins:
If you set up your Mac to launch jenkins via LaunchDaemons, you need to make sure to add
<key>SessionCreate</key>
<true />
So the whole ci.plist would look like so:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>Jenkins</string>
<key>UserName</key>
<string>user</string>
<key>GroupName</key>
<string>staff</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/java</string>
<string>-Xmx512m</string>
<string>-jar</string>
<string>/path/to/jenkins/jenkins.war</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>EnvironmentVariables</key>
<dict>
<key>JENKINS_HOME</key>
<string>/path/to/jenkins/home</string>
</dict>
<key>SessionCreate</key>
<true />
</dict>
</plist>
I've been stuck wit the same issue as many people above have.
Specifically I experienced the issue when running from a Jenkins shell
script I got the same ** User interaction is not allowed ** error.
When running from an ssh shell, my script worked fine.
The difference that most people have also seen is that if you run
security list-keychain you'd get:
$ security list-keychain
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain"
But when running in the ssh shell, I'd get:
$ security list-keychain
"/Users/<i>user_account_name</i>/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"
And most people will have all their keys/certs etc. in the user
account keychain. Like some folks suggested it's easy to make a new
key chain that is distinct from the user key chain, and reseve it for
your XCode signing stuff. I ended up putting mine here:
/Library/Keychains/sysiphone.keychain
I think the issue is that for my setup (and possibly for yours too),
you're running in a different security preference domain (system
vs. user). Finally -- here is how I got my sysiphone.keychain to show
up:
$ sudo security list-keychains -d system -s "/Library/Keychains/sysiphone.keychain"
Password: *****
$ security list-keychains -d system
"/Library/Keychains/sysiphone.keychain"
... and magically things started to build in Jenkins. Wow... that was
about 4 hours down the drain for me. Sigh.
Ok, the problem was two things for me, 1st was unlocking the keychain;
security unlock-keychain login.keychain
Second was (empty) passphrase,
security import blahblahbackup.p12 -k login.keychain -T /usr/bin/codesign -P ""
UPDATE:
A had a little problem later, when the script is triggered from a web script or sth. like that. It just sees /Library/Keychains/System.chain. So i found a dirty workaround (which may lead to security issues but ok for me);
setup pubkey ssh login (from user that wants to call build script, to actual user which has certificates and will run xcodebuild) in my case, it's same user. Apache is working as someuser and everything for build is setup on someuser.
and my php script (for triggering build) was calling ~/build-script. I've changed that like this:
ssh someuser#localhost ~/build-script
so it works in a real tty, and all keychain is accessible, everything works fine.
As another poster says,
security list-keychains -s "~/Library/Keychains/login.keychain"
But I think you only have access to the login.keychain when you are logged in, in the GUI context (I just tested on a system via SSH and screen, but which I also happen to be logged into via VNC).
It is apparently possible to use launchctl to select the GUI context and run the program, but I suspect that only works for the "logged in user" too.
If you try 'security show-keychain-info keychain-file' then you'll get the following error:
User interaction is not allowed
And that's a phrase to search with for some more info.
The other solution is to put the certificate into your System keychain!
I've looked at the security command an it appears that the keychains assigned to my terminal are not the same when forked. If I launched the security command in terminal I have:
$ security list-keychains
"/Users/yannooo/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"
whereas when using screen I have the following output:
$ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain"
Since my build certificates are stored in the login keychain, the code sign error I have looks normal.
Does anyone know how I could assign a keychain to a terminal? I've tried this without success
security login-keychain -s /Users/yannooo/Library/Keychains/login.keychain
Any ideas?
I am using Atlassian Bamboo 2.7 and OS X 10.7.3 Lion and I've tried every approach found in the thread but I was still getting the "user interaction not allowed" error.
The problem was that, in a remote terminal session (as "superuser" such as in the case of Bamboo or another automated build system), the keychain that needs to be unlocked containing the signing certificates are different from what you would normal see (such as was shown by Yann in here) when you are not superuser.
What ultimately worked for me was to do the following:
log in as System Administrator as described here
create the signing-only keychain (e.g., ios.keychain)
add the signing certificates to it (along with the WWDRCA certificate)
Verify it by going su and running security list-keychains on the terminal. You should see the ios.keychain among the list. (sudo security list-keychains won't show the same thing):
sh-3.2# security list-keychains
"/private/var/root/Library/Keychains/login.keychain"
"/Library/Keychains/ios.keychain"
"/Library/Keychains/System.keychain"
I've found that you still have to add ios.keychain to your search scope before doing the unlock-keychain command. In your build script, have the following lines run:
KEYCHAIN=/Library/Keychains/ios.keychain
# the -s option adds $KEYCHAIN to the search scope, while the -d option adds $KEYCHAIN to the system domain; both are needed
security -v list-keychains -d system -s $KEYCHAIN
security -v unlock-keychain -p bambooiphone $KEYCHAIN
Unlocking the login keychain did not work for me. Creating a separate keychain using Keychain Access (called iOS) and then adding these commands to the build did work (when running Jenkins as my own user):
security -v list-keychains -d system -s ~/Library/Keychains/iOS.keychain; security -v unlock-keychain -p password ~/Library/Keychains/iOS.keychain;
This looks more promising, though: https://wiki.jenkins-ci.org/display/JENKINS/Xcode+Plugin#XcodePlugin-Userinteractionisnotallowed
If you're running security list-keychains and seeing your custom keychain appear SOMEWHERE in the list but it still doesn't work, it could be that you're running into the issue I had whereby the keychains are checked in order from the search list, and since I wasn't unlocking login.keychain in my SSH session, it would fail there rather than move to the next keychain in the list, which was the custom one I wanted to unlock.
Setting the search list to a custom keychain which you unlock with security unlock-keychain works. Using this method from Yann's answer will also remove your login.keychain from the search list.
To preserve login.keychain:
security list-keychains -s ~/Library/Keychains/custom.keychain ~/Library/Keychains/login.keychain
This way, when using the GUI session at the machine you will still have access to login.keychain items, but code signing will check the custom keychain first, which succeeds if you've unlocked it.
If you're executing xcodebuild as root (which you are when you sudo), you need to log in as root and put your signing certificates in root's keychain. Then unlock the keychain with security as above.
I did:
delete login.keychain from list
create own keychain in $HOME/Library/Keychains/
add it to keychain list (I did not specify any specific domain)
set it as default
call security unlock-keychain on it
add global signing certificate (WWDRCA) to it
import private key and both Development and Distribution certificates to it
If there's login.keychain, I still get "User interaction not allowed" error.
Thus deleting login.keychain using security delete-keychain finally helped!

Resources