CodeSign The specified item could not be found in the keychain

Question

interactor OP

Created Sep ’20

Replies 3

Boosts 0

Views 9k

Participants 3

I am trying to translate a working codesigning mechanism into our CI process.

I add the cert using the following.

Code Block sudo security add-trusted-cert -d -r trustRoot -k ~/Library/Keychains/login.keychain-db developerID_application.cer

But, when I check it, it is not recognized for codesigning.

Code Block $ security find-identity -p codesigning
Policy: Code Signing
  Matching identities
     0 identities found
  Valid identities only
     0 valid identities found

And subsequent codesign fails with

Code Block error: The specified item could not be found in the keychain.

Compared to what I am doing in the working mechanism on my desktop, only missing step seems to be signing to my developer account on xcode. But, not sure if that is the issue, or if so, not sure how you can do that from command line.

Boost

Answer 1

TyngJJ OP

Sep ’20

Looks like you're doing two different things.

Your command adds a certificate as "trusted", which usually isn't necessary unless it's self-signed.
In particular you're using the root user to modify the current user's keychain, which might have the effect of making it unreadable by that user
The file extension is cer which is not an identity.
An identity is a certificate and its private key together in one file, which is almost always encrypted with the extension p12.

0

Answer 2

interactor OP

Sep ’20

This is for CI process, and when I do this on a desktop, I am adding my developer cert manually. What I am trying to do is find a way to add the developer cert using a command line.

0

Answer 3

DTS Engineer OP

Apple

Sep ’20

What I am trying to do is find a way to add the developer cert using a
command line.

You seem to be mixing up certificate and digital identity. When you need to sign is code signing identity, that is, the combination of a certificate and a private key that matches the public key in the certificate. Your input to security is a .cer file, which is just a certificate. You would normally add an identity as a PKCS#12 which, as TyngJJ pointed out, typically has the extension .p12.

To import a digital identity from the command line you need to first export it from the original use as a PKCS#12. Keychain Access can do that. You can then import it on the target system using the import subcommand. See the security man page for details. Note that most of the arguments are optional, with import inferring the right values from the .p12 extension.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0