CodeSign on macOS @ CircleCI - Command is stuck

Hi!

I try to codesign a file inside a macOS executor on CircleCI. I am able to import the certificate inside my new keychain but when I execute the codesign command is stuck, it never returns. No output, nothing. I have to kill the command.

Anyone has an idea? Thanks!

JF

security create-keychain -p default MyKeychain.keychain

echo $APPLE_CERT_DEV_ID_APP_BASE64 | base64 -D -o DevIdApplication.p12

security import ./DevIdApplication.p12 -x -t agg -k MyKeychain.keychain -A -P "$APPLE_CERT_PASSWORD"

security default-keychain -d user -s MyKeychain.keychain
security unlock-keychain -p default MyKeychain.keychain
security set-keychain-settings MyKeychain.keychain

security find-identity -p codesigning

touch file
codesign --timestamp --options runtime -s "Developer ID Application: XXXXXXX inc. (XXXXXXXXXX)" -v file

<< the command hangs here and nothing happens >>
Up vote post of jflevesque Down vote post of jflevesque
1.2k views
Posted by
jflevesque
Reply
Add a Comment

Replies

If you run sample against codesign, where is it stuck?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Here is the output:

sample.log
Posted by
jflevesque
Up vote reply of jflevesque Down vote reply of jflevesque
Add a Comment

Here is the output:

Thanks. From the sample you can see that codesign has made an IPC request to securityd to sign some data and is then blocked waiting for the response. I suspect that the keychain item’s ACL has triggered a user authorisation request and securityd is waiting for the user to respond.

Do you have access to the GUI? Is there an authorization request sitting on screen?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I have been able to fix my issue. The following command made it:

security set-key-partition-list -S apple-tool:,apple: -s -k '' ~/Library/Keychains/MyKeychain.keychain

I found the command inside fastlane code (which I am using for another project and that is working fine with code signing): https://github.com/fastlane/fastlane/blob/e874a47c6e2e0e61590a03d3b71e75e5a505d1ce/fastlane/spec/actions_specs/import_certificate_spec.rb#L72

It is also mentioned here: https://developer.apple.com/forums/thread/666107

For reference, my setup commands are now:

security create-keychain -p "" ~/Library/Keychains/MyKeychain.keychain
security default-keychain -s ~/Library/Keychains/MyKeychain.keychain
security unlock-keychain -p "" ~/Library/Keychains/MyKeychain.keychain
security set-keychain-settings -t 7200 -l ~/Library/Keychains/MyKeychain.keychain
security list-keychains -d user

echo $APPLE_CERT_DEV_ID_APP_BASE64 | base64 -D -o DevIdApplication.p12

security import ./DevIdApplication.p12 -k ~/Library/Keychains/MyKeychain.keychain -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/pkgbuild

security find-identity -p codesigning

security set-key-partition-list -S apple-tool:,apple: -s -k '' ~/Library/Keychains/MyKeychain.keychain
Posted by
jflevesque
Up vote reply of jflevesque Down vote reply of jflevesque
Add a Comment