Post

Replies

Boosts

Views

Activity

Keychain Access from SSH Session
I'm trying to set up (really update) a Jenkins build server and running into a problem during code signing. Specifically, the same script behaves differently on an x86 Mac running 12.4 and an Apple Silicon Mac also running 12.4. The primary symptom seems to be that the x86 Mac is creating a separate security session, while the Apple Silicon Mac is apparently using the default root session, this results in attempts to update the keychain list on failing on the Apple Silicon while succeeding on the x86. From ssh to the x86: dberry@amacosjenks02 mobile-sdk % zsh -x scripts/ios_keychain.sh +scripts/ios_keychain.sh:7> KEYCHAIN=/Users/jenkins/JenkinsBuild.keychain  +scripts/ios_keychain.sh:10> echo '========== before ==========' ========== before ========== +scripts/ios_keychain.sh:11> security list-keychains     "/Users/dberry/Library/Keychains/login.keychain-db"     "/Library/Keychains/System.keychain" +scripts/ios_keychain.sh:12> security list-keychains -s /Users/jenkins/JenkinsBuild.keychain login.keychain-db /Users/jenkins/JenkinsBuild.keychain +scripts/ios_keychain.sh:14> echo '========== after ===========' ========== after =========== +scripts/ios_keychain.sh:15> security list-keychains     "/Users/jenkins/JenkinsBuild.keychain"     "/Users/dberry/Library/Keychains/login.keychain-db"     "/Library/Keychains/System.keychain" +scripts/ios_keychain.sh:28> trap cleanup EXIT +scripts/ios_keychain.sh:29> cleanup +cleanup:1> security list-keychains -s login.keychain-db +cleanup:3> echo '========== cleanup ===========' ========== cleanup =========== +cleanup:4> security list-keychains     "/Users/dberry/Library/Keychains/login.keychain-db"     "/Library/Keychains/System.keychain" dberry@amacosjenks02 mobile-sdk % sw_vers ProductName: macOS ProductVersion: 12.4 BuildVersion: 21F79 dberry@amacosjenks02 mobile-sdk %  From ssh to the Apple Silicon: dberry@amacosjenks03 mobile-sdk % zsh -x scripts/ios_keychain.sh +scripts/ios_keychain.sh:7> KEYCHAIN=/Users/dberry/JenkinsBuild.keychain  +scripts/ios_keychain.sh:10> echo '========== before ==========' ========== before ========== +scripts/ios_keychain.sh:11> security list-keychains     "/Library/Keychains/System.keychain"     "/Library/Keychains/System.keychain" +scripts/ios_keychain.sh:12> security list-keychains -s /Users/dberry/JenkinsBuild.keychain login.keychain-db +scripts/ios_keychain.sh:14> echo '========== after ===========' ========== after =========== +scripts/ios_keychain.sh:15> security list-keychains     "/Library/Keychains/System.keychain"     "/Library/Keychains/System.keychain" +scripts/ios_keychain.sh:28> trap cleanup EXIT +scripts/ios_keychain.sh:29> cleanup +cleanup:1> security list-keychains -s login.keychain-db +cleanup:3> echo '========== cleanup ===========' ========== cleanup =========== +cleanup:4> security list-keychains     "/Library/Keychains/System.keychain"     "/Library/Keychains/System.keychain" dberry@amacosjenks03 mobile-sdk % sw_vers ProductName: macOS ProductVersion: 12.4 BuildVersion: 21F79 dberry@amacosjenks03 mobile-sdk %  Apparently something in the configuration of the two machines is different, but I'm not finding it. sshd_config and ssh_config are functionally identical, as are .ssh/config How can I cleanly get access to the keychain from an ssh session? Specifically I need to be able to add a keychain to the search list, unlock it, and use it for code signing. I understand the process for each of those steps (the unlock step is just removed from the above for sanity). The only problem seems to be the security context as reflected in the fact that none of the list-keychains -s have any effect on the arm, although they do on the x86 and the last of the login keychain on the arm.
2
0
1.2k
Oct ’22