I'm trying to sign a build coming from a gitlab runner, but for some reason security find-identity is yielding no results during the pipeline.
Hitting the runner via SSH shows the results as I would expect, as well as VNCing into the runner and using the terminal.
whoami on all 3 shows the same result
My current attempt is to build the keychain on the fly so that I can ensure I have access to the identity, and it succeeds in building the keychain and importing the certs, but find-identity still shows zero results in the pipeline.
- security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
- security list-keychains -d user -s "$KEYCHAIN_PATH" "/Users/######/Library/Keychains/login.keychain-db" "/Library/Keychains/System.keychain"
- security set-keychain-settings "$KEYCHAIN_PATH"
- security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
- security import "$SIGNING_KEY_DECODED" -P "$P12_PASSWORD" -A -f pkcs12 -k $KEYCHAIN_PATH -T "/usr/bin/codesign"
- > # escape :
CERT_IDENTITY="##########"
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" -D "$CERT_IDENTITY" -t private "$KEYCHAIN_PATH"
- echo $(security find-identity)
The echo at the end returns the following:
Policy: X.509 Basic
Matching identities
0 identities found
Valid identities only
0 valid identities found
Running the same command via ssh/terminal over VNC after the build fails returns the following:
Policy: X.509 Basic
Matching identities
1) C6......A2 "iPhone Distribution: ###########"
1 identities found
Valid identities only
1) C6......A2 "iPhone Distribution: ###########"
1 valid identities found
Which suggests that the keychain creation and certificate import is working as expected.
I'm not ruling out the possibility of this being an issue on gitlab's end, but this has been working historically, and only really stopped working since we've updated to Sonoma (we're on 14.7.1 now). We have an active runner on Ventura 13.6.1 that's working still.