I'm trying to move our iOS CI over to github actions but I'm running into some build issues . These issues (fastlane just hangs when gym runs) seem to arise when using match.
Here's the log that makes me think it's keychain related
WARN [2019-09-26 13:46:14.52]: Could not configure imported keychain item (certificate) to prevent UI permission popup when code signing
Check if you supplied the correct `keychain_password` for keychain: `/Users/runner/Library/Keychains/login.keychain-db`
security: SecKeychainItemSetAccessWithPassword: The user name or passphrase you entered is not correct.
The docs say sudo is passwordless so I assumed the same for keychain. I seem to be wrong but I can't find anything in the docs for it. Any help would be greatly appreciated.
EDIT
Lyndsey Ferguson's comment below is mostly the solution. They're approach of using create_keychain and then match I was able to just specify the keychain and it's password so I was able to avoid import_certificate
EDIT 2
Here's what I'm doing in fastlane to get around this
create_keychain(
name: "actiontest_keychain",
password: "meow",
default_keychain: true,
unlock: true,
timeout: 3600,
lock_when_sleeps: false
)
match(
type: "appstore",
readonly: is_ci,
keychain_name: "actiontest_keychain",
keychain_password: "meow"
)
Maybe it is a little late, but I think it is worth mentioning that there is a handy fastlane action setup_ci for this purpose:
Description
Setup the keychain and match to work with CI
Creates a new temporary keychain for use with match
Switches match to readonly mode to not create new profiles/cert on CI
Sets up log and test result paths to be easily collectible
Just add this to the top of your Fastfile or within a specific lane if you use CI.
Fastfile lane Example
lane :build_release do
setup_ci
sync_code_signing(
type: "appstore",
readonly: is_ci
)
build_app
end
Also make sure, your provisioning profiles and certificates within your match storage are up to date and you configured manual signing for release build. Otherwise match will maybe try to sign your app with wrong signing identities which will fail ;)
I can’t use Fastlane because I am trying to use the keychain to work with Java 14’s new jpackage tool in GitHub Actions to build and code sign a Java application native bundle, so I was excited to see Yakuhzi’s answer. It almost worked for me, but there were a couple of errors I had to sort out, which were very difficult because there were no error messages: my workflow just hung on the jpackage command, while I assume the build Mac virtual machine invisibly prompted for the keychain to be unlocked in the virtual frame buffer.
Here is the variation that worked for me. The first three steps were fine (I am passing my signing certificate and its decryption passphrase to the script as environment variables extracted from Github Action secrets, and use the same passphrase to create the build keychain):
security create-keychain -p "$IDENTITY_PASSPHRASE" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$IDENTITY_PASSPHRASE" build.keychain
But trying to run his fourth line at this point would fail with this error:
security: SecItemCopyMatching: The specified item could not be found in the keychain.
Eventually, I after studying the documentation for security set-key-partition-list I realized the first problem was that the -k argument requires the keychain password, which must have been actions in his case! So my next step was to fix line 4 to look like this:
security set-key-partition-list -S apple-tool:,apple: -s -k "$IDENTITY_PASSPHRASE" build.keychain
I was still getting the error though, so I studied the documentation some more, and experimented with the command on a spare Mac mini that didn’t have my signing identity in the login keychain. Eventually I discovered the command was trying to take an action on a signing key that did not yet exist in the keychain. So I moved my steps that import my signing key before that line, and it started to work. Here is the full section once it worked, and you can see the entire script on GitHub:
security create-keychain -p "$IDENTITY_PASSPHRASE" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$IDENTITY_PASSPHRASE" build.keychain
echo "$IDENTITY_P12_B64" > DS_ID_App.p12.txt
openssl base64 -d -in DS_ID_App.p12.txt -out DS_ID_App.p12
security import DS_ID_App.p12 -A -P "$IDENTITY_PASSPHRASE"
security set-key-partition-list -S apple-tool:,apple: -s -k "$IDENTITY_PASSPHRASE" build.keychain
This is an answer that can be accepted, but I would like to understand how the cert and private key get into the keychain.
Try this:
- name: Set up keychain
run: fastlane run create_keychain name:name_of_keychain password:chosen_password
That will create the keychain, and then when you want to use it, you can again provide the chosen_password however you have it. Probably a GITHUB_X env var?
You could try to create a new keychain and set it as default.
- name: Set up keychain
run: |
security create-keychain -p <password> build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p <password> build.keychain
security set-key-partition-list -S apple-tool:,apple: -s -k actions build.keychain
I need to create a build of my macOS app every day at midnight. I would like it to be code signed so people can use it without jumping through hoops. I am asleep at midnight, and I'm too busy to do this manually. I would like to run xcodebuild via launch agent and get a signed application while away from the keyboard. But code signing always fails.
It fails with errors like:
No signing certificate "Mac Development" found: No "Mac Development" signing certificate matching team ID "H7V7XYVQ7D" with a private key was found.
It doesn't fail when I'm watching, which means it must have something to do with the keychain locking itself. I flailed around trying to fix this a while ago with no luck:
https://github.com/gnachman/iTerm2/commit/f4082825f3dfa52db08d660ec4821ab6c5bca3f * c
https://github.com/gnachman/iTerm2/commit/4cc902449549995d90da1856068e0f56640d55d1
https://github.com/gnachman/iTerm2/commit/b84b5739fb2e0d3f89bade68467831891d31f79f
https://github.com/gnachman/iTerm2/commit/29817cbb00d755c247c7071cfac7a6580f7b13b1
https://github.com/gnachman/iTerm2/commit/3f33828b5740a764740c98801ff2d12b21d72e7b
https://github.com/gnachman/iTerm2/commit/f4082825f3dfa52db08d660ec4821ab6c5bca3fc
But nothing works. Is this even possible?
export tempKeychain=tempKeychain
export identity="iPhone Whatever: Bob Developer(132455334)"
# create new empty keychain
security create-keychain -p "${ADMIN_PASSWORD}" "${tempKeychain}"
# add keychain to user's keychain search list so they can access it
security list-keychains -d user -s "${tempKeychain}" $(security list-keychains -d user | tr -d '"')
# removing relock timeout on keychain
security set-keychain-settings "${tempKeychain}"
# import the certs
security import foo.p12 -k "${tempKeychain}" -P "${CERT_PASSWORD}" -T "/usr/bin/codesign"
# tell os it's ok to access this identity from command line with tools shipped by apple (suppress codesign modal UI)
security set-key-partition-list -S apple-tool:,apple: -s -k "$ADMIN_PASSWORD" -D "${identity}" -t private ${tempKeychain}
# set default keychain to temp keychain
security default-keychain -d user -s ${tempKeychain}
# unlock keychain
security unlock-keychain -p ${ADMIN_PASSWORD} ${tempKeychain}
# prove we added the code signing identity to the temp keychain
security find-identity -v -p codesigning
# do some codesign stuff
# clean up temp keychain we created
security delete-keychain ${tempKeychain}
have you considered having the launchd script use ssh -o to localhost to run the commands like a CI server (e.g Jenkins) would?
I'm trying to get an iOS archive build to work on Travis CI, after having setup certs and private keys for signing without issues. All goes well until the point where signing occurs, at which point the build gets stuck, until travis CI kills it after timeout:
...
/usr/bin/codesign --force --sign 15E2916907037CFB777FC5F494A6CA252EF0895C --preserve-metadata=identifier,entitlements "/Users/travis/build/RestComm/restcomm-ios-sdk/build/Build/Intermediates/ArchiveIntermediates/restcomm-olympus/InstallationBuildProductsLocation/Applications/restcomm-olympus.app/Frameworks/sofiasip.framework"
No output has been received in the last 10m0s, this potentially indicates a stalled build or something wrong with the build itself
At first I thought it was issue described here, so I added the -A flag in my 'security import ...' commands but to no avail.
Any hints?
Some more details:
I create a new keychain where I add Apple's cert, together with my development & distribution certs and private keys
I set that keychain as default and unlock it prior to any build action
Tried to use travis_wait to allow the codesign step to run for more than 10 minutes just in case, but still after 40 minutes it continued to be stuck. It's like it's waiting for some user input (in the UI maybe) that never arrives?
Thanks in advance,
Antonis
I solved same problem by following steps that is described here.
https://github.com/travis-ci/travis-ci/issues/6791#issuecomment-261215038
a) change argument for all your security imports to keychain from -T to -A
security import ./scripts/certs/dist.cer -k ~/Library/Keychains/ios-build.keychain -A
b) after all imports execute command set-key-partition-list
security set-key-partition-list -S apple-tool:,apple: -s -k <keychainPass> <keychainName>
I'm trying to get continuous integration set up, specifically for circleci with iOS. someone has done a great job of writing the details of this: http://mazyod.com/blog/2015/03/26/marry-circleci-to-hockey/
however, my xcodebuild always gets stuck, and it looks like it's waiting for codesign:
/usr/bin/codesign --force --sign...
the log shows that it has been running for over an hour. my guess is that... is this command waiting for an input or something?
if so, how do i force it to use the keychain i've created using the distribution cert/private key ?
here's what the script (add-keys.sh) looks like:
#!/bin/sh
security -v create-keychain -p $KEY_PASSWORD ios-build.keychain
security -v import ./utils/build_tools/custom_builds/apple.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign
security -v import ./utils/build_tools/custom_builds/distribution.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign
security -v import ./utils/build_tools/custom_builds/distribution_cert_private_key.p12 -k ~/Library/Keychains/ios-build.keychain -P $KEY_PASSWORD -T /usr/bin/codesign
security -v list-keychain -s ~/Library/Keychains/ios-build.keychain
security -v unlock-keychain -p $KEY_PASSWORD ~/Library/Keychains/ios-build.keychain
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp ./utils/build_tools/custom_builds/profile/* ~/Library/MobileDevice/Provisioning\ Profiles/
ls ~/Library/MobileDevice/Provisioning\ Profiles/
where i've stored $KEY_PASSWORD on circle ci's environment vars and is being recognized.
is it that this is causing a pop up prompt to allow user to use keychain or something? if so, am i just supposed to sudo everywhere? or how do i get rid of this?
did i not import the correct certificates or something? are they incorrectly named or something? i used the exact ones i use to build normally.
Perhaps it was re-locked after executing security unlock-keychain if your build process took a long time.
The default timeout is 300s. (You can check it with security show-keychain-info <your keychain path>.)
You can extend it like this:
# Extend the timeout to 600s
security set-keychain-settings -lut 600
FYI, it's described in man security like this:
set-keychain-settings [-hlu] [-t timeout] [keychain]
Set settings for keychain, or the default keychain if none is specified.
-l Lock keychain when the system sleeps.
-u Lock keychain after timeout interval.
-t timeout Specify timeout interval in seconds (omitting this option specifies "no timeout").
I had the same problem with Circle CI 2.0 and xcode >= 9.0.
Looks like problem in MacOS Sierra (and popup with credentials prompt).
You can fix it simply by using following command as build step:
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD circle.keychain
I've found solved issue in Circle CI discuss:
https://discuss.circleci.com/t/xcode-8-3-build-timing-out/11721/5
Good luck!
You have confused P12_PASSWORD and KEYCHAIN_PASSWORD!
Please see the original version: https://github.com/thorikawa/CircleCI-iOS-TestFlight-Sample/blob/master/scripts/add-key.sh
From there, you could see that create-keychain and unlock-keychain use KEYCHAIN_PASSWORD, import use P12_PASSWORD!
So you need store two password and use them correctly!
I'm trying to setup an automated build server for an iPhone application. I'd like to be able to have nightly adhoc beta builds so that testers can follow the development.
I've setted up xcode successfully xcode to perform adhoc builds and I can also launch the build from the command line:
xcodebuild -configuration AdHoc -sdk iphoneos2.2 clean build
The problem I'm having is that the following line doesn't work from a forked terminal (using nohup or screen) and failed with the following
CodeSign error: Code Signing Identity 'iPhone Distribution: XXXXX' does not match any code-signing certificate in your keychain. Once added to the keychain, touch a file or clean the project to continue.
I've checked my environment variables in my shell and in nohup or screen and didn't found a clue.
I guess my problem is that the forked terminal can't access to the keychain but I have no clue on how to allow it.
Thanks for your help
I had te error User interaction is not allowed and solved it by unlocking the keychain first
security unlock-keychain /Users/yannooo/Library/Keychains/login.keychain
I've also tried to put my certs in the System's keychain and it was working.
My final solution was to put all my iPhone related certs in a dedicated keychain named iPhone.keychain using the Keychain Access application
security list-keychains -s /Users/yannooo/Library/Keychains/iPhone.keychain
security unlock-keychain -p keychainpassword /Users/yannooo/Library/Keychains/iPhone.keychain
There are two (possibly three!) components to this. One is the keychain must be unlocked. Second, there is an access control list inside the keychain that tells which permissions are given to applications in the unlocked state. So even if you have the keychain successfully unlocked, if the ability to access the private key and sign with it isn't given to /usr/bin/codesign then you will still get this message. Finally, if you are on Mac OS Sierra, the default partition ID assigned to keys is incorrect in order to be compatible with the codesign binary.
The solution is as follows:
1) If you have access to the Keychain Access GUI, then you can manually grant every program or /usr/bin/codesign access by right clicking on your private key, selecting the "Access Control" tab and then selecting the "Allow all applications to access this item" radio or the list of "Always allow access by these applications" list.
2) If you are encountering this error, chances are you are trying to run codesign for a non-login user. In this case, you clearly don't have access to the "Keychain Access" GUI. For these cases, you verify the sign authorization missing for application <null>, which apparently means all applications, or specifically /usr/bin/codesign by using:
security dump-keychain -i login.keychain
However, you cannot add or modify access control attributes in interactive mode for some reason --only delete! You actually have to manually delete the key and re-add it to the keychain specifying the -T flag.
security import login.keychain -P "<password>" -T /usr/bin/codesign
Where -T specifies
-T Specify an application which may access the imported key (multiple -T options are allowed)
3) If you are on Mac OS Sierra, modify the partition ID to include the apple partition. Presumably, this is the namespace assigned to codesign because it was distributed by Apple.
security set-key-partition-list -S apple-tool:,apple: -k "<password>" login.keychain
NOTE: The apple-tool partition is inserted by the security tool, so the command above preserves that partition. For more information on this aspect, see: http://www.openradar.me/28524119
Another solution :
Open the Keychain Access
Right click on the private key
Select "Get Info"
Select "Access Control" tab
Click "Allow all applications to access this item"
Click "Save Changes"
Enter your password
Enjoy
Could you use security list-keychains -s ${HOME}/Library/Keychains/login.keychain inside the build process to explicitly add your login keychain to the search list? It seems like from the forked Terminal, the build process doesn't see your user keychain. That could make sense if the keychain search list is based on your current security session - a forked terminal session would leave the login session just as if you ssh over the loopback connection.
update for people running into similar issues with Jenkins:
If you set up your Mac to launch jenkins via LaunchDaemons, you need to make sure to add
<key>SessionCreate</key>
<true />
So the whole ci.plist would look like so:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>Jenkins</string>
<key>UserName</key>
<string>user</string>
<key>GroupName</key>
<string>staff</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/java</string>
<string>-Xmx512m</string>
<string>-jar</string>
<string>/path/to/jenkins/jenkins.war</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>EnvironmentVariables</key>
<dict>
<key>JENKINS_HOME</key>
<string>/path/to/jenkins/home</string>
</dict>
<key>SessionCreate</key>
<true />
</dict>
</plist>
I've been stuck wit the same issue as many people above have.
Specifically I experienced the issue when running from a Jenkins shell
script I got the same ** User interaction is not allowed ** error.
When running from an ssh shell, my script worked fine.
The difference that most people have also seen is that if you run
security list-keychain you'd get:
$ security list-keychain
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain"
But when running in the ssh shell, I'd get:
$ security list-keychain
"/Users/<i>user_account_name</i>/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"
And most people will have all their keys/certs etc. in the user
account keychain. Like some folks suggested it's easy to make a new
key chain that is distinct from the user key chain, and reseve it for
your XCode signing stuff. I ended up putting mine here:
/Library/Keychains/sysiphone.keychain
I think the issue is that for my setup (and possibly for yours too),
you're running in a different security preference domain (system
vs. user). Finally -- here is how I got my sysiphone.keychain to show
up:
$ sudo security list-keychains -d system -s "/Library/Keychains/sysiphone.keychain"
Password: *****
$ security list-keychains -d system
"/Library/Keychains/sysiphone.keychain"
... and magically things started to build in Jenkins. Wow... that was
about 4 hours down the drain for me. Sigh.
Ok, the problem was two things for me, 1st was unlocking the keychain;
security unlock-keychain login.keychain
Second was (empty) passphrase,
security import blahblahbackup.p12 -k login.keychain -T /usr/bin/codesign -P ""
UPDATE:
A had a little problem later, when the script is triggered from a web script or sth. like that. It just sees /Library/Keychains/System.chain. So i found a dirty workaround (which may lead to security issues but ok for me);
setup pubkey ssh login (from user that wants to call build script, to actual user which has certificates and will run xcodebuild) in my case, it's same user. Apache is working as someuser and everything for build is setup on someuser.
and my php script (for triggering build) was calling ~/build-script. I've changed that like this:
ssh someuser#localhost ~/build-script
so it works in a real tty, and all keychain is accessible, everything works fine.
As another poster says,
security list-keychains -s "~/Library/Keychains/login.keychain"
But I think you only have access to the login.keychain when you are logged in, in the GUI context (I just tested on a system via SSH and screen, but which I also happen to be logged into via VNC).
It is apparently possible to use launchctl to select the GUI context and run the program, but I suspect that only works for the "logged in user" too.
If you try 'security show-keychain-info keychain-file' then you'll get the following error:
User interaction is not allowed
And that's a phrase to search with for some more info.
The other solution is to put the certificate into your System keychain!
I've looked at the security command an it appears that the keychains assigned to my terminal are not the same when forked. If I launched the security command in terminal I have:
$ security list-keychains
"/Users/yannooo/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"
whereas when using screen I have the following output:
$ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain"
Since my build certificates are stored in the login keychain, the code sign error I have looks normal.
Does anyone know how I could assign a keychain to a terminal? I've tried this without success
security login-keychain -s /Users/yannooo/Library/Keychains/login.keychain
Any ideas?
I am using Atlassian Bamboo 2.7 and OS X 10.7.3 Lion and I've tried every approach found in the thread but I was still getting the "user interaction not allowed" error.
The problem was that, in a remote terminal session (as "superuser" such as in the case of Bamboo or another automated build system), the keychain that needs to be unlocked containing the signing certificates are different from what you would normal see (such as was shown by Yann in here) when you are not superuser.
What ultimately worked for me was to do the following:
log in as System Administrator as described here
create the signing-only keychain (e.g., ios.keychain)
add the signing certificates to it (along with the WWDRCA certificate)
Verify it by going su and running security list-keychains on the terminal. You should see the ios.keychain among the list. (sudo security list-keychains won't show the same thing):
sh-3.2# security list-keychains
"/private/var/root/Library/Keychains/login.keychain"
"/Library/Keychains/ios.keychain"
"/Library/Keychains/System.keychain"
I've found that you still have to add ios.keychain to your search scope before doing the unlock-keychain command. In your build script, have the following lines run:
KEYCHAIN=/Library/Keychains/ios.keychain
# the -s option adds $KEYCHAIN to the search scope, while the -d option adds $KEYCHAIN to the system domain; both are needed
security -v list-keychains -d system -s $KEYCHAIN
security -v unlock-keychain -p bambooiphone $KEYCHAIN
Unlocking the login keychain did not work for me. Creating a separate keychain using Keychain Access (called iOS) and then adding these commands to the build did work (when running Jenkins as my own user):
security -v list-keychains -d system -s ~/Library/Keychains/iOS.keychain; security -v unlock-keychain -p password ~/Library/Keychains/iOS.keychain;
This looks more promising, though: https://wiki.jenkins-ci.org/display/JENKINS/Xcode+Plugin#XcodePlugin-Userinteractionisnotallowed
If you're running security list-keychains and seeing your custom keychain appear SOMEWHERE in the list but it still doesn't work, it could be that you're running into the issue I had whereby the keychains are checked in order from the search list, and since I wasn't unlocking login.keychain in my SSH session, it would fail there rather than move to the next keychain in the list, which was the custom one I wanted to unlock.
Setting the search list to a custom keychain which you unlock with security unlock-keychain works. Using this method from Yann's answer will also remove your login.keychain from the search list.
To preserve login.keychain:
security list-keychains -s ~/Library/Keychains/custom.keychain ~/Library/Keychains/login.keychain
This way, when using the GUI session at the machine you will still have access to login.keychain items, but code signing will check the custom keychain first, which succeeds if you've unlocked it.
If you're executing xcodebuild as root (which you are when you sudo), you need to log in as root and put your signing certificates in root's keychain. Then unlock the keychain with security as above.
I did:
delete login.keychain from list
create own keychain in $HOME/Library/Keychains/
add it to keychain list (I did not specify any specific domain)
set it as default
call security unlock-keychain on it
add global signing certificate (WWDRCA) to it
import private key and both Development and Distribution certificates to it
If there's login.keychain, I still get "User interaction not allowed" error.
Thus deleting login.keychain using security delete-keychain finally helped!