Dear apple folks,
we try to establish command line based codesigning for a second user account on a machine, where it already works for another user account.
User A is able to run the codesign tool like this:
/usr/bin/codesign --verbose \
--timestamp \
-o runtime \
--entitlements $BASEDIR/entitlements.plist \
--sign "Developer ID Application: OUR COMPANY" \
OUR_APP.app
With keychain, user A sees the following objects within the system area:
- A private key of OUR COMPANY
- The Developer ID Application certificate for OUR COMPANY
User A can ask security find-identity -p codesigning
and gets an output
with 1 matching and 1 valid identity.
This is fine so far. Not so user B.
With keychain, user B sees the same objects within the sytem area as user A on this same machine.
But security find-identity
lists 0 identities and codesign tells user B
"The specified item could not be found in the keychain".
So: although the items are visible in keychain, somehow, the identity is not accessible for user B.
At this point we have a lack of understanding how this is supposed to work. Can 2 users on one machine share one digital identity for codesigning? Or does user B need a second identity?
We have then executed the steps in thread https://developer.apple.com/forums/thread/660871 meaning:
- we exported the digital identity consisting of
-
private key and
-
the developer ID application certificate
with user A to a p12 file using keychain access.
-
- we imported this p12 file with user B via the command
security import IDENTITY_FILE.p12
After this, still the same behaviour: no identities listed from
security find-identity -p codesigning
and codesign still throws
"The specified item could not be found in the keychain".
Any ideas?