codesign repeatedly asks for access to System Keychain

I'm trying to migrate the scripts that build my application from an Intel Mac running Mojave (Xcode 10.3) to an M1 Mac running Big Sur (Xcode 12.5.1).

On the M1 Mac, codesign triggers a pop up a window asking for an admin username/password each time it signs something. This happens whether it is invoked via a script or directly in Terminal. The pop-up appears twice when signing a Universal binary, once when signing a single-architecture binary.

The popup says:

macOS wants to make changes. Enter an adminstrator's name and password to allow this.

macOS wants to use the "System" keychain.

and it has a "Deny" button and an "Allow" button, but not an "Always Allow" button. (Another issue: the username is not pre-populated, even though I am logged in as an admin.)

My "Developer ID Application" certificate is stored in my login keychain, as is the "Apple Worldwide Developer Relations Certification Authority" certificate, which expires 2030-02-19.

The "System" keychain contains an "Apple Application Integration Certification Authority" certificate expiring 2026-10-20. (Another issue: that certificate can't be deleted!)

Suggestions?

macOS wants to make changes. Enter an adminstrator's name and password to allow this. macOS wants to use the "System" keychain. and it has a "Deny" button and an "Allow" button, but not an "Always Allow" button.

Focusing on the user Keychain, does the "Always Allow" button present itself if the signing identities and certificate chain assets are moved into the user-level Keychain? And does this reproduce the issue is you run the codesign command while logged into your standard user session and not through a system daemon or service etc...?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thanks, Matt.

What exactly are the "certificate chain assets"? As far as I know, there is only my certificate and the "Apple Worldwide Developer Relations Certification Authority" certificate. They are both in the "login" keychain.

What is the "user-level Keychain"? Keychain Access shows two keychains under "Default Keychains": "login: and "iCloud", and two under "System keychains": "System" and "System Roots".

This happens when I run codesign when using Terminal while logged in as my normal user account, which is an administrator account.

I've given up and completely wiped the M1 Mac and will start over.

What exactly are the "certificate chain assets"? As far as I know, there is only my certificate and the "Apple Worldwide Developer Relations Certification Authority" certificate.

This was probably a poor choice of words on my part. A certificate chain in this case means everything from your Developer Signing certificate, to the Apple Worldwide Developer Relations Certification Authority Intermediate, to the Apple Root CA that issued the WWDR Intermediate. The reason my wording was poor is because you also need your signing key associated with Developer Signing Certificate to create your Developer Signing Identity. Without the key, you cannot code sign your app.

Regarding:

What is the "user-level Keychain"?

Any Keychain that your user-session has access to. In this case, you mentioned the login Keychain, but it is common for user's to create other user-level Keychains for their account.

Regarding:

This happens when I run codesign when using Terminal while logged in as my normal user account, which is an administrator account.

Thank you for the confirmation. Okay, checkout the access control in the Keychain on the private key for your Developer ID signing Identity. Is the codesign process allowed access to this key? If not, you could try allowing codesign access to your signing identity key to avoid some of these prompts.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hey Matt, I'm having the same problem.

Signing out of Xcode and back in with the free, local-only signing key doesn't help.

As for access control, i'm not allowed to edit the access control of the key.

I was having the same issue, and it didn't offer the "always allow" option, only "allow". The way I found to fix this was to find the certificate you are using to sign the app during the build process in Keychain Access, expand it to show the signing key, right click on the key and choose get info. Go to the access control tab, and you have one of two options:

  1. Choose "Allow all applications to access this item" (not secure)
  2. Choose "Confirm before allowing access" and add "codesign" and "Xcode" to the list of allowed list of applications. (you'll need to do a global search to find where codesign resides on your machine)

After this, you will no longer get the repeated password prompt.

13

Thank you!!!

For me the issue that the certificate was installed under "system", rather than "login". All I had to do was remove it from system, then open "login" and drag the certificate into Keychain.

codesign repeatedly asks for access to System Keychain
 
 
Q